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A-7D  Aircraft 

Analytical  redundancy  offers  high  potential  for  solving  the  sensor  redundancy 
problem.  The  current  state-of-the-art  in  analytical  redundancy  contains  a 
number  of  candidate  filters  which  are  developed  here  from  a fundamental 
relationship  of  variables  through  hybrid  simulation.  Tbree  analytical  redundancy 
concepts  of  varying  complexity  were  developed  for  the  A-7D  aircraft.  Two 
monitor  techniques  were  used:  a multiple  trip  level  exceedance  criteria  currently 
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Results  indicate  that  fault  detection,  whether  designed  by  classical  methods  or 
Kalman  filtering,  perform  similarly  and  that  gust  estimation  improves  fault 
detection  performance.  Also,  failure  isolation  for  a single  set  of  unlike  sensors 
is  difficult  to  achieve  with  a reasonable  computation  load. 
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diagnostic  filters  to  be  used  with  comparison  monitors  for  dual  sensor  failure 
isolation,  creating  a fail-operative  dual  sensor  system.  Fail-safe  operation 
will  also  be  achieved  by  continuing  to  monitor  the  filters  and  to  detect,  but  not 


isolate,  a second  failure. 
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SECTION  1 


INTRODUCTION  AND  PROGRAM  OVERVIEW 

1. 1 THE  SENSOR  REDUCTION  PROBLEM 

Reliable  digital  flight  control  systems  are  burdened  with  large  numbers  of  sensors  which 
are  required  for  both  quality  and  redundancy. 

The  demand  for  control  quality  has  expanded  the  types  of  sensors  used  in  basic  augmen- 
tation functions.  The  humble  yaw  damper,  with  a single  rate  gyro,  for  example,  has 
grown  to  be  a sophisticated  inertially  coordinated  CAS,  requiring  sensed  rates,  attitudes, 
angle-of-attack  and  airspeed.  The  pitch  damper  has  grown  to  be  a complex  multifunction 
control  law  using  several  sensed  quantities  to  drive  multiple  surfaces.  The  benefits 
of  this  improved  quality  are  dramatic  (e.g. , the  A-7D  Digital  Multimode  System),  and 
future  aircraft  are  not  likely  to  accept  less. 

At  the  same  time,  mission  reliability  requirements  have  forced  duplication,  triplication, 
and  even  quadruplication  of  critical  sensing  systems.  Hardware  redundancy  has  grown 
to  the  point  where  the  potential  for  mismanagement  alone  represents  a major  concern 
for  flight  safety. 

These  large  sensor  populations  exact  their  toll  in  system  cost.  Also,  many  sensors 
distributed  throughout  an  airframe  make  wonderful  antennas  to  aggravate  lightning  and 
EMP  susceptibility.  They  impose  environmental  problems,  compromise  vulnerability, 
and  constrain  overall  airframe  design.  Hence,  there  is  ample  motivation  to  reduce  the 
sensor  population.  Fortunately,  there  are  reasons  to  believe  that  significant  reductions 
are  possible.  Present  voting  techniques,  for  example,  waste  as  much  as  a full  channel  of 
sensor  hardware.  The  control  laws  themselves  may  also  use  excessive  hardware  in  that 
certain  sensed  signals  may  be  replaceable  with  equivalent  estimates. 

1.2  STUDY  GOALS 

The  purpose  of  this  study  was  to  demonstrate  Just  how  much  sensor  reduction  is  attain- 
able in  practice.  Examinations  of  various  techniques  for  achieving  sensor  reduction 
were  conducted,  with  particular  emphasis  on  so-called  "functional"  or  "analytical" 
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redundancy  concepts.  Three  promising  concepts  were  selected  and  evaluated  through 
detailed  design,  computer  cost  effectiveness,  and  hybrid  simulation  for  the  A-7D  air- 
craft. The  most  promising  single  concept  was  then  selected  from  combinations  of  all 
three  and  recommended  for  flight  test. 

Initial  investigations  with  the  current  A-7D  sensor  system  resulted  in  two  possible  design 
goals : 

1.  Design  to  maintain  current  system  reliability  with  associated  sensor 
reduction,  and 

2.  Design  to  upgrade  system  reliability  to  achieve  improved  mission 
standards  with  current  sensor  complement. 

Of  the  two  approaches,  the  second  presents  a greater  technical  challenge  and  is  more 
compatible  with  current  digital  fly-by-wire  mission  standards.  It  is  also  implicit  that  j 

development  of  the  technology  necessary  to  achieve  the  second  design  goal  will  encompass  i 

development  of  the  first. 

1 

1.3  CONCEPT  SELECTION 

Two  general  techniques  are  recognized  for  sensor  reduction: 

1.  Control  Law  Modification— Ensures  that  operational  requirements  can  be 
met  with  the  minimum  number  of  sensors. 

2.  Fault  Tolerant  Design — Exploring  all  possible  techniques  for  meeting  relia- 
bility requirements  of  failure  tolerance  with  a minimum  number  of  sensors, 
the  following  potential  solutions  exist: 

• Skewed  and  special  sensors 

• Integration  for  redundancy  management  (e.  g. , flight  sensor  sharing 
with  navigation  function) 

• In-line  sensor  monitoring 

• Analytical  redundancy 

Of  these,  analytical  redundancy  offers  high  promise  for  sensor  reduction. 
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1.3.1  Analytical  Redundancy 

In  general,  analytical  redundancy  is  approached  using  one  of  two  basic  building  blocks: 

• Diagnostic  Filter  (DF) — An  assembly  of  sensors  combined  in  some  functionally 
related  fashion  such  that  a failure  of  any  one  can  be  diagnosed. 

• Super-Diagnostic  Filter  (SDF) — An  assembly  of  sensors  combined  in  some 
functionally  related  fashion  such  that  a failure  of  one  can  be  detected  and 
isolated  to  the  specific  faulted  sensor. 

Given  these  two  definitions,  one  can  use  assemblies  of  diagnostic  filters  to  construct  a 
super-diagnostic  relationship  through  truth  table  logic. 

A literature  survey  was  performed  to  examine  currently  available  techniques  that  had 
promise  of  being  able  to  detect  and  isolate  faults  in  aircraft  sensors  and  meet  current 
on-board  flight  computer  allocations.  All  schemes  fell  into  three  basic  categories: 

1.  Failure  detection  with  assemblies  of  diagnostic  filters 

2.  Specific  diagnostic  filter  design  techniques 

3.  Explicit  super-diagnostic  filter  design  techniques 

Three  concepts  were  chosen  for  development  through  hybrid  simulation.  These  concepts 
are  distinguished  by  design  procedure  and  complexity.  The  final  recommended  system 
is  a combination  of  individual  filters  designed  within  these  concepts. 


Concept  I.  Observer /Blender — Five  diagnostic  filters,  which  model  physical 

relationships  using  sensor  outputs,  provide  fault  detection  for  nine 
sensors  (n^,  P,  Q,  R,  0,  6,  f,  or,  h).  Monitors  use  a three  trip 
level  exceedance  criteria.  Trip  boundaries  arc  scheduled  on  sensor 
outputs  to  account  for  unmodeled  dynamics  and  sensor  anomalies. 


Concept  n.  Diagnostic  Kalman  Filters— Kalman  filters  with  greater  capability 

for  modeling  sensor  anomalies  in  the  filter,  i.  e. , bias,  scale 

factors,  and  estimation  of  wind  gusts.  Fault  detection  is  provided 

for  sensors  included  in  Concept  I plus  U and  n , 

m y 
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Concept  III.  Super-Diagnostic  Design — Kalman  filters  using  linear  equations  for 
pitch  and  lateral-directional  dynamic  equations  of  motion.  Both 
detection  and  isolation  are  addressed.  These  filters  contain  gain- 
scheduled  models  for  the  A-7D.  All  inputs  were  prefiltered  to 
eliminate  low  frequency  dynamics. 

1.3.2  Fail-Operational  Followed  by  Fail-Safe  Philosophy 

Concepts  I and  II  can  operate  with  comparison  monitors  of  dual  sensors  to  isolate  faults 
for  a fail-operational  capability.  A fail-safe  capability  exists  for  Concepts  I and  II  for 
all  single  sensors  and  for  dual  sensors  after  one  failure. 

1.3.3  Fault  Detection  Monitors 

Fault  detection  monitors  used  in  this  study  fall  into  three  categories; 

1.  Multiple  trip  monitors  were  designed  for  all  concepts.  These  are  fairly 
standard  monitors.  Scheduling  trip  boundaries  on  sensor  values,  to  handle 
known  sensor  and  modeling  errors,  was  performed  in  Concept  I.  Pilot 
input  command  scheduling  to  handle  aircraft  transients  was  used  in  all 
concepts.  The  fault  detection  logic  requires  three  consecutive  trips  for  a 
fault  to  be  declared. 

2.  A sequential  likelihood  ratio  test  (SLRT)  of  the  mean  value  was  used  in 
Concepts  II  and  III  along  with  multiple  trip  monitors.  Theory  based  on  hypo- 
thesizing a shift  in  the  mean  value  of  the  filter  error  signals  was  used.  . 

3.  A SLRT  on  likelihood  function  differences  was  used  with  comparison  monitors. 
This  function  isolates  a faulted  dual  sensor  by  deciding  which  sensor  channel 
has  the  fault  once  a miscompare  has  been  declared. 

1.3.4  A-7D  Design  Application 

Concepts  chosen  for  development  were  applied  to  the  A-7D  aircraft.  The  reasons  for 
this  choice  were  as  follows; 
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• The  A-7D  is  currently  being  flight  tested  with  an  all-digital  CAS  and  multimode 
outer  loop  control  design.  The  dual  Honeywell  301  computers  and  dual  accel- 
eration and  body  rate  sensor  offer  a good  baseline  for  the  design  philosophy  of 
this  study. 

• The  HDC  301  computers  currently  on  board  the  A-7D  have  residual  core  and 
calculation  frame  time  which  allow  parallel  programming  of  either  Concepts  I 
or  II  to  conduct  fail-operational  (fail-op)  and  fail-safe  experiments. 

Another  reason  for  choosing  the  A-7D  aircraft  and  flight  control  system  is  the  prospect 

of  achieving  a fairly  dramatic  improvement  in  mission  reliability.  The  A-7D  system 

with  dual  computers  currently  has  fail-safe  dual  sensors  and  servos.  Its  mission  abort 

-4 

probability  is  estimated  at  12.  6 x 10  per  flight  hour.  Analytical  redundancy  operating 

-4 

at  a 95  percent  effectiveness  cuts  this  to  6.  6 x 10  . If  the  same  95  percent  effective 

redundancy  were  achieved  for  the  servos,  the  mission  abort  probability  would  be  reduced 
to  0.8  X lO"^. 

1 . 4 CONCEPT  DEVELOPMENT 

The  three  selected  concepts  were  developed  for  hybrid  simulation  of  the  A-7D.  Key 
design  issues  addressed  were  the  following: 

• Appropriate  monitor  level  scheduling  in  Concept  I to  account  for  filter 
modeling  simplifications 

• Kalman  filter  design  modifications  to  insure  that  each  sensor  had  a sufficient 
failure  transient  for  failure  detection 

• Gain-scheduled  Kalman  filters  which  would  generate  consistent  error  signal 
statistics  over  the  flight  envelope 

A pre-simulation  analysis  of  fault  detection  monitors  was  also  conducted  to: 

• Insure  that  the  false  alarm  specification  (<1  per  1000  flight  hours)  was  met 

• Investigate  the  impact  of  error  signal  autocorrelation  on  monitor  performance 

Sensor  error  and  fault  modeling  requires  careful  treatment  for  fault  detection  because 
typical  sensor  models  are  not  sufficient  and  fault  characteristics  are  not  well-defilned. 
Key  modeling  issues  are: 
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• Modeling  of  characteristics  (particularly  noise)  based  on  an  operational  environ- 
ment, and  not  on  manufacturer's  sales  data 

• Fault  categories  based  on  type  and  percentages  of  occurrence  for  each  sensor 

1.5  A-7D  SIMULATION 


I 


Much  attention  was  given  to  false  alarm  checkout.  Monitors  were  adjusted  based  on 
filter  responses  to  the  following  inputs; 

• Random  wind  gusts  (6  ft/sec)  • 60°  in  one  second  roll  commands 

• Two  g pitch-up  maneuvers  • "1-COS"  and  "p"  gust  inputs 

Monitor  adjustments  included  a roll  uplogic.  scheduled  with  stick  commands,  designed 
to  handle  high  roll  rate  transients. 

Fault  runs  consisted  of  subjecting  the  fault  detection  algorithms  to  a number  of  high 
probability  faults; 

1.  Sensor  hardover 

2.  Dead  sensor 

3.  Dynamic  response  reduction  (accelerometers  only) 

4.  Scale  factor  changes 

5.  Bias  shifts 

1.  6 CONCLUSIONS  AND  RECOMMENDATIONS 


Results  from  the  A-7D  simulation  offer  a number  of  performance  conclusions  both  on  an 
absolute  basis,  i.  e. , which  ones  will  work  in  the  real-world  environment  of  flight  test, 
and  on  a relative  basis,  i.  e. , which  ones  work  better  than  others. 


On  an  absolute  basis.  Concept  I works  well  for  faults  in  all  sensors  (n  and  U not 

y m 

addressed)  except  and  has  marginal  performance  for  n^.  Concept  II  performs  well 


for  almost  all  sensors  with  marginal  performance  for  n 


outset). 


(this  was  anticipated  at  the 
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Concept  III  results  lead  to  a number  of  performance  concerns  and  developmental  needs. 
The  basic  notion  of  obtaining  fault  detection  and  isolation  for  a single  set  of  unlike 
sensors  (measuring  different  quantities)  was  addressed.  Two  areas  of  greatest  difficulty 
for  Concept  III  were: 

I • Accelerometer  soft  failure  detection,  e.  g.,  dead  sensor,  scale  factor 

I faults,  and  dynamic  response  faultsf 

• Fault  isolation  based  on  more  than  one  filter  detecting  a given  fault.  This 
j demonstrated  some  difficulty  if  both  filters  did  not  detect  the  failure  at 

the  same  time. 

Table  I contains  a subjective  summary  of  the  Concept  I and  II  comparative  results  and  a 
recommended  system  for  further  development  through  flight  test. 

TABLE  1.  SUBJECTIVE  COMPARISONS  OF  CONCEPTS  I AND  II 


I 
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Sensor 

Performance 

Recommendation 

Reason 

Concept  I 

Concept  II 

!^BI 

iBl 

■■■ 

marginal 

poor 

good 

not  addressed 

good 

good 

good 

good 

Concept  II 

Clear  performance 
edge  over  Concept  I. 

m 

6.  1> 
m 

m 

m 

9.  R 

m 

'0-  '^m 

good 

excellent 

good 

excellent 

good 

excellent 

good 

excellent 

good 

excellent 

good 

excellent 

Concept  I or  II 

Concept  I is  less 
complex  with  com- 
parable performance. 
Concept  II  bias 
estimates  can  be 
used  for  slow  bias 
faults. 

not  addressed 

marginal 

Retain  Concept  II 
filter  for  flight 
test 

Retains  the  only  ny 
diagnostic.  Offers 
some  state  recon- 
struction capability. 

4^ 

All  concepts  failed  to  detect  dynamic  response  faults. 
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A comparison  of  monitors  shows  that  the  sequential  likelihood  ratio  test  (SLRT)  of 
residual  mean  values  performed  very  well  relative  to  the  multiple  trip  monitor.  SLRT 
caught  hardover  failures  sooner  (almost  by  definition,  as  the  multiple  trip  monitor  has 
a built-in  delay).  SLRT  also  showed  good  soft  failure  identification  characteristics, 
particularly  scale  factor  changes  that  escaped  the  multiple  trip  monitor. 

Finally,  state  reconstruction  was  not  addressed  here  since  it  was  recognized  early 
that  this  would  not  provide  a fail-operational  capability.  Some  consideration  might  be 
given  to  a fail-suboperational  capability  which  would  result  in  the  replacement  of  a 
single  failed  sensor  with  an  estimated  sensor.  This  would  be  in  lieu  of  automatically 
going  from  fail-op  to  fail-safe  upon  a second  sensor  failure.  Retaining  the  lateral- 
directional  gain-scheduled  filter  would  provide  an  experimental  base  for  this  in  addition 
to  its  own  n^  fault  diagnostic  capability. 

1.7  DOCUMENT  ORGANIZATION 

This  document  is  organized  into  six  sections.  This  section  contains  an  introduction  to 
sensor  reduction  and  a program  overview.  Section  2 presents  a detailed  explanation  of 
sensor  reduction,  a classification  of  techniques,  and  an  overview  of  analytical  redundancy. 
The  rationale  for  the  three  concepts  chosen  for  development  is  also  given. 

Section  3 covers  sensor  modeling,  including  basic  measured  quantities,  sensor 
characteristics,  fault  models,  and  sensor  simulation  models.  Section  4 contains 
design  details  for  the  various  analytical  redundancy  filters  and  monitors  and  describes 
how  they  fit  together  into  a fail-op/fail-safe  system.  Section  5 presents  the  simulation 
setup  and  results.  Specific  technical  conclusions  and  recommendations  are  discussed 
in  Section  6. 

Cost  effectiveness,  i.e. , what  each  system  will  cost  in  computer  requirements  and  save 
in  hardware  costs,  is  presented  in  Appendix  A.  The  hybrid  computer  simulation  of  the 
A-7D  with  CAS  is  discussed  in  Appendix  B.  Appendix  C outlines  an  alternate  scheme 
for  Euler  angle  body  rate  fault  detection  using  quaternions. 

Finally,  strip  charts  of  aircraft  and  fault  detection  filter  performance  during  simulation 
are  presented  in  Appendix  D.  The  fault  detection  algorithms  are  documented  in  Appendix 

E. 
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SECTION  2 


CONCEPT  SELECTION 

2. 1 SENSOR  REDUCTION  TECHNIQUES 

There  are  two  general  techniques  for  reducing  the  number  of  sensors  required  for  flight 
control.  One  is  to  use  fewer  sensors  in  the  basic  simplex  (single  channel)  control  laws; 
i.  e. , redesign  the  controller  to  use  fewer  sensed  quantities  while  achieving  the  same 
performance.  This  we'll  call  "control  law  modification.  " The  second  is  to  use  fewer 
duplicate  sensors  in  the  redundancy  management  scheme,  i.e..  achieve  the  same  level 
of  redundancy  with  fewer  hardware  elements.  This  we'll  call  "fault  tolerant  design.  " 
These  techniques  can  be  used  together  to  minimize  the  overall  sensor  population. 

2.1.1  Control  Law  Modification 

Control  law  modifications  reduce  the  number  of  sensor  types  required  for  a simplex 
control  channel  to  a minimum.  This,  in  turn,  reduces  the  number  of  redundant  sensors 
required  for  system  reliability.  In  essence  the  technique  implies  better  control  law 
design.  These  techniques  are  application  dependent. 

Signal  synthesis  is  an  example  of  a control  law  modification.  The  number  of  sensors 
required  is  reduced  by  synthesizing  a signal  or  group  of  signals  from  a reduced  set. 

In  the  context  of  modern  control  theory,  the  synthesis  elements  are  Kalman  filters  or 
Luenberger  observers.  In  a classical  sense,  the  synthesis  is  achieved  by  dynamic 
compensation  of  the  reduced  sensor  set.  In  the  final  analysis,  the  two  viewpoints  are 
equivalent. 

The  issues  are  complexity  and  performance.  Reduction  In  the  number  of  sensors  is 
traded  off  against  increased  complexity  of  the  control  laws.  In  analog  systems  this  is 
an  important  tradeoff.  It  is  not  nearly  as  critical  when  the  system  is  implemented 
digitally.  Then  system  performance  is  the  driver.  The  quality  of  the  synthesized  signal 
must  be  equivalent  to  the  sensor  eliminated.  Primary  quality  parameters  are  DC 
accuracy,  signal  bandwidth,  and  noise  content.  Observability  theory  tells  us  that  the 
state  variables  of  the  system,  and  hence  sensor  outputs,  can  be  reconstructed  from  a 
single  hardware  sensor  if  the  system  is  completely  observable  from  that  sensor.  We 


know  that  in  a practical  sense,  however,  the  quality  of  the  synthesized  signal  will  suffer. 
Synthesizing  rates  from  attitudes  is  an  example.  This  requires  high  bandwidth  filters 
approaching  the  quality  of  a differentiator  over  the  control  bandwidth.  This  is  not  realis- 
tic unless  a very  high  quality  (low  noise,  wide  bandwidth)  attitude  signal  is  available. 

Thus,  we  must  exercise  practical  judgment  in  applying  signal  synthesis  techniques.  Even 
the  most  sophisticated  estimation  theories  cannot  overcome  basic  physical  limitations. 

Integrated  flight  management  is  another  control  law  modification  technique.  The  idea 
is  to  combine  subsystems  which  use  common  sensor  types.  For  example,  the  ring  laser 
gyro  is  being  studied  for  joint  applications  of  strapdown  navigator  and  primary  flight 
control  (Reference  1).  The  quality  of  the  rate  and  acceleration  signals  derived  from  the 
navigator  is  high.  The  signals  can  be  used  in  flight  control  loops.  The  issue  is  cost. 
Normally  the  navigator  is  not  flight  critical  and  is  not  made  redundant.  Four  navigation 
systems  would  be  required  for  a system  with  dual-fail-operative  capability  (using  voting 
techniques).  How  does  this  cost  compare  with  one  navigation  system  and  triply  redundant 
sensors?  A second  issue  is  multiple  failures.  Loss  of  one  element  of  the  navigation 
system,  a gyro  for  example,  means  loss  of  both  attitude  and  rate  information. 

The  end  product  of  control  law  modification  is  a better  control  system  design  with  a 
minimum  set  of  sensor  types.  No  sensor  can  be  removed  from  this  set  without 
unacceptably  compromising  control  performance.  Maintaining  performance  through 
state  reconstruction  and  integrated  flight  management  is  a worthwhile  goal.  Sensor 
reduction,  as  it  is  addressed  in  this  design  study,  begins  after  assuming  that  the 
minimum  necessary  sensor  set  for  performance  has  been  identified. 

2.1.2  Fault  Tolerant  Design 

Once  a minimal  simplex  sensor  set  has  been  defined,  fault  tolerant  design  techniques 
can  address  the  redundancy  problem.  Our  goal  is  to  eliminate  the  need  for  quad  sensors 
currently  dictated  by  dual-fail-operative  requirements.  Potential  solutions  are: 

• Skewed  and  special  sensors 

• Integration  for  redundancy  management 

• In-line  sensor  monitoring 

• Analytical  redundancy 

• 
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The  first  three  of  these  approaches  has  been  studied  extensively  (References  2,  3,  4). 
Where  the  technology  is  state-of-the-art,  it  is  used  here.  Where  not,  the  limitations 
are  fundamental  hardware  limitations.  Analytical  redundancy  is  new  and  shows  promise 
of  payoff. 


Skewed  and  Special  Sensors--A  skewed  sensor  arrangement  can  significantly  reduce 
the  number  of  sensors  required  for  redundancy  management.  For  example,  with  orth- 
gonal  gyros  in  a three-axis  system,  a total  of  12  are  required  for  a quad-redundant  dual- 
fail-operative capability.  The  same  system  with  skewed  gyros  requires  only  six  for 
the  same  capability.  Properly  configured,  any  three  gyros  can  be  resolved  to  the 
required  three  orthogonal  signals.  After  two  failures  (four  remain),  the  fact  that  a third 
failure  has  occurred  can  be  identified.  The  same  savings  apply  for  skewing  acceler- 
ometers. With  two-axis  acceleration  required,  a^  and  a^  skewing  reduces  the  number 
of  sensors  from  eight  to  five. 

Table  2 shows  the  savings  that  can  be  accrued  simply  by  skewing  gyros  and  accelerometers. 
The  sensor  complement  consists  of  the  12  instruments  listed  in  the  Request  for  Proposal. 
However,  skewing  has  practical  limitations.  For  gyros,  the  scale  and  resolution  require- 
ments are  different  for  the  three  axes.  In  a conventional  (orthogonal)  system,  the  roll 
rate  gyro  must  have  a larger  scale  or  range  than  the  pitch  rate  gyro.  Conversely,  the 
pitch  rate  gyro  requires  more  resolution.  In  a skewed  arrangement  all  instruments 
must  be  the  same.  This  will  either  limit  the  resultant  signal  quality  or  increase  the 
component  cost,  potentially  by  more  than  the  savings  accrued  by  eliminating  six  conven- 
tional gyros. 


A generalized  form  of  skewing  can  be  achieved  with  special  sensors.  In  this  case  the 

measurements  are  skewed  in  measurement  space  (p,  q,  r,  a , a , . . . ) rather  than  geo- 

z y 

metrically.  Special  sensors  measure  linear  combinations  of  variables.  For  example, 
in  the  pitch  axis,  special  sensors  can  measure  signals  (m)  of  the  form 


m = Q + kA 

Each  sensor  has  a different,  known,  constant  k.  Any  two  sensors  can  span  the  Q-A^^  sub- 
space. Using  this  type  of  sensor,  a conventional  quad-redundant  system  requiring  four 
pitch  rate  gyros  and  four  normal  accelerometers  can  be  replaced  by  five  special  sensors. 


TABLE  2.  SENSOR  REDUCTION  WITH  SKEWING 


*One  sensor  in  Nav  system  used. 

**One  channel  replaced  with  Nav  system.  s| 

Why  don't  we  build  such  sensors  today?  We  do,  but  we  throw  them  away!  Component 
manufacturers  work  hard  at  building  gyros  that  are  not  sensitive  to  acceleration  (k  ■=  0). 

In  component  testing,  those  with  k ^ 0 are  rejected.  The  obvious  problem  in  building 
such  devices  is  consistency.  In  addition,  special  sensors  tend  to  be  unique  for  each 
application,  which  increases  manufacturing  costs. 

Integration  for  Redundancy  Management — Another  way  to  reduce  redundant  sensors  is 
through  subsystem  integration.  This  technique  is  currently  being  employed  for 
redundancy  management  in  the  Space  Shuttle  flight  control  system.  The  concept  uses 
sensor  data  from  subsystems  which  are  not  normally  functionally  related  for  monitoring 
and  tie  breaking.  In  the  case  of  the  Space  Shuttle,  derived  rates  from  the  navigation 
system  are  used  in  the  primary  flight  control  system  for  voting.  The  concept  is  related 
to  integrated  flight  management.  In  this  case,  the  redundant  subsystem  signal  is  not 
used  directly  in  the  feedback  loop  because  of  signal  quality  limitations. 

Table  2 shows  the  savings  that  can  be  accrued  by  skev/ing  and  integrating  the  navigation 
and  flight  control  systems  for  redundancy  management. 


12 


In-Line  Monitoring — Still  another  way  to  achieve  fault  tolerant  design  is  through  in-line 
monitoring.  It  was  determined  in  the  F-4  DFCS  study  (Reference  5)  that  a triplex 
system  with  95  percent  self-test  confidence  can  meet  the  dual-fail-operative  failure 
rate  requirements.  The  state-of-the-art  is  approaching  99  percent  self- test  confidence 
for  servos  and  computers.  Unfortunately,  this  is  not  true  for  sensors.  The  primary 
reason  for  the  difference  is  that  the  input  to  the  sensor  is  unknown  and  cannot  be  used 
for  self  test.  For  servos  and  computers,  the  inputs  are  available  for  use  in  self-test 
systems. 

Some  ad  hoc  approaches  have  been  developed  for  in-line  sensor  monitoring  of  rate  gyros 
and  accelerometers.  Partial  self  test  of  gyros  can  be  achieved  using  a spinmotor 
rotation  detector  to  ensure  that  the  speed  has  not  fallen  below  the  minimum  detectable 
level.  To  ensure  gimbal  freedom  and  proper  output  pickoff,  a small-amplitude  tracer 
monitor  signal  can  be  applied  to  a torquer  winding.  The  dither  signal  is  normally  well 
outside  the  control  system  bandwidth.  The  dither  technique  is  also  applicable  to  acceler- 
ometers. 

Nearly  all  failures  that  occur  in  the  device  stop  the  wire  vibration  in  the  wire  gyros 

and  accelerometers.  Thus  a test  on  the  wire  vibration  is  a good  in-line  self-test  technique. 

In-line  sensor  self-test  feasibility  is  limited  by  several  factors.  The  input  to  the  sensor 
is  unknown  except  when  special  test  signals  are  introduced.  Self-test  techniques  do  not 
include  sensor  installation  errors  (base  mounting).  Finally,  the  additional  complexity 
and  cost  associated  with  sensor  self  test  may  override  the  savings  gained  by  reducing 
the  number. 

Analytical  Redundancy — Up  to  this  point  we  have  discussed  what  might  be  called  conven- 
tional approaches  to  sensor  reduction:  control  law  modifications,  skewing,  integration, 
and  sensor  self  test.  We  have  concluded  that  these  techniques  are  fairly  well  under- 
stood. In  particular  we  know  what  the  payoff  of  each  of  these  techniques  will  be  and  how 
to  use  them  when  hardware  considerations  permit. 

The  one  remaining  sensor  reduction  technique--analytical  redundancy- -is  not  nearly 
so  well  in  hand.  Various  theoretical  and  simulation  studies  have  shown  that  sensor 
failures  can  be  detected  by  exploiting  known  functional  relationships  between  different 
sensors.  This  possibility  opens  up  a whole  new  approach  to  failure  detection  with  signif- 
icant savings  potential.  In  the  following  subsection  we  explore  analytical  redundancy 
techniques  in  detail. 
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2.2  ANALYTICAL  REDUNDANCY 


The  basic  idea  of  analytical  redundancy  is  to  use  known  relationships  between  different 
sensors  in  order  to  detect  failures.  This  idea  has  produced  a growing  variety  of  redun- 
dancy concepts,  ranging  from  simple  signal  blenders  to  complex  banks  of  Kalman  filters 
Each  new  investigator  seems  able  to  invent  yet  another  scheme  to  add  to  the  collection. 
This  proliferation  has  obscured  common  basic  features  and  has  made  comparisons  and 
evaluations  of  competing  approaches  difficult.  For  this  reason,  we  interpret  "analytical 
redundancy"  as  a general  failure  detection  concept.  We  can  then  examine  specific 
approaches  which  are  further  classified  for  comparison. 

2.2.1  The  General  Concept 

Analytical  redundancy  hinges  on  the  existence  of  two  basic  functions  or  "building  blocks" 
which  can  be  assembled  in  various  ways  to  achieve  fault  detection.  The  building  blocks 
are: 

1.  Diagnostic-Filter  (DF)--This  is  an  algorithm  which  processes  data  from  a 
family  of  N func.ionally  related  sensors  in  order  to  estimate  signals  or 
states  and  also  to  assess  the  health  of  the  sensor  family.  Outputs  from  a 
diagnostic  filter  are  signal  estimates  plus  one  binary  error  flag  which  indi- 
cates "O"  if  all  sensors  are  healthy  and  "1"  if  any  one  of  them  has  failed. 

2.  Super-Diagnostic  Filter  (SDF) — This  is  an  algorithm  which  performs  the 
functions  of  a diagnostic  filter  but  with  enhanced  capability  to  assess  the 
health  of  individual  sensors.  Its  outputs  are  signal  estimates  plus  error 
flags  for  each  sensor  in  the  input  family. 

How  these  building  blocks  are  actually  constructed  is  discussed  in  a later  subsection. 
First,  however,  we  will  consider  how  they  may  be  assembled  to  provide  fault  detection. 

Assemblies  of  Building  Blocks --The  way  in  which  diagnostic  or  super-diagnostic  filters 
can  be  combined  for  sensor  fault  detection  depends  upon  the  overall  structure  of  the 
failure  management  approach,  i.e. , whether  uniform  redundancy  requirements  apply 
throughout  the  system  or  whether  various  reversion  modes  with  different  redundancy 
levels  are  allowed.  We  will  first  discuss  assemblies  for  uniform  requirements  in  two 
basic  sensor  groups  and  then  turn  to  assemblies  for  reversion  modes. 


Interchangeable  and  Noninterchangeable  Sensors — For  redundancy  requirements,  flight 
control  sensors  can  be  grouped  into  two  basic  categories:  interchangeable  and  non- 
interchangeable. The  first  group  includes  all  sensors  which  can  substitute  for  one 
another  in  the  event  of  a failure.  Any  one  can  replace  any  other.  Examples  include 
skewed  gyros  or  skewed  accelerometers.  When  one  sensor  fails,  another  can  be  sub- 
stituted, provided  only  that  the  sensor-to-body  coordinate  transformation  is  appropri- 
ately modified.  In  contrast,  the  second  category  consists  of  sensors  which  must  be 
replaced  on  an  individual  one-for-one  basis.  If  one  fails,  only  a duplicate  can  replace 
it  without  compromising  estimator/ control  quality  and  performance.  An  example  is 
the  minimal  sensor  sets  which  remain  after  sensor  reduction  by  control  law  modifica- 
tions, as  described  earlier. 

Now  suppose  that  N healthy  sensors  are  needed  in  each  of  these  categories  in  order  to 

be  operational.  Then  a minimum  of  N + 2 interchangeable  sensors  (two  extras)  and  3N 

2 

noninterchangeable  sensors  (two  extras  of  each  type)  is  required  for  (fail-op)  perfor- 
mance. We  know  all  too  well,  of  course,  that  these  minimum  numbers  are  not  sufficient 
for  traditional  voting  redundancy  techniques.  These  require  N + 3 and  4N  sensors, 
respectively,  in  order  to  resolve  voting  conflicts.  With  diagnostic  or  super-diagnostic 
filters,  however,  the  minimum  numbers  will  suffice. 

This  latter  point  is  illustrated  in  Figure  1 which  shows  fault  detection  schemes  using 

diagnostic  filters.  For  simplicity,  the  figure  is  limited  to  fail-op  performance  with 

2 

N ■ 2.  It  can  be  readily  generalized  to  arbitrary  N and  to  (fail-op)  performance. 

Figure  lA  treats  the  case  of  interchangeable  sensors.  Three  sensors  are  required  for 
fail-op  performance  and  two  diagnostic  filters  suffice  to  detect  failures.  This  is  verified 
by  the  truth  table  in  the  figure.  In  order  to  generalize,  note  that  there  are  N 4-  2 columns 
in  the  truth  table,  one  for  each  sensor  failed  individually  (N  1)  and  one  for  the  no-fail 
condition.  Note  also  that  each  column  corresponds  to  a unique  binary  "word"  constructed 
from  the  error  flag  "bits"  of  the  diagnostic  filters.  Since  there  are  2^  such  words  for 
M diagnostic  filters,  it  follows  that  the  necessary  number  of  filters  is 

M « [logg  (N  + 2)1* 


■•■The  brackets  indicate  the  nearest  larger  integer. 
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Figure  1.  Fault  Detection  with  Diagnostic  Filters 


We  can  further  deduce  from  the  truth  table  that  the  sensor  inputs  to  each  of  these  filters 
are  uniquely  determined  by  the  unit  entries  in  each  row  of  the  table.  Hence,  we  have  a 
completely  general  way  to  assemble  diagnostic  filters  for  interchangeable  sensors; 

1.  Determine  the  number  of  sensors; 

N + 1 for  fail-op 
N + 2 for  (fail-op)^ 


2.  Determine  the  number  of  diagnostic  filters; 
[logg  (N  + 2)]  for  fail-op 
[logg  (N  + 3)]  for  (fail-op)^ 


3.  Determine  sensor  inputs  to  each  filter  from  the  truth  table.  * 


♦This  step  offers  some  flexibility  in  the  event  that  [log2  (N  + 2)]  > log2  (N  + 2).  Then  we 
have  more  potential  columns  and  can  choose  the  most  convenient  ones  for  filter  mechan- 
ization. 
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The  diagnostic  filter  arrangement  for  noninterchangeable  sensors  is  shown  in  Figure  IB. 
Because  duplicate  sensors  are  available  in  this  case,  it  is  sufficient  to  use  a single 
diagnostic  filter  plus  two  ordinary  comparators.  The  filter  monitors  one  channel  of 
sensors  while  the  comparators  monitor  the  other.  The  fault  detection  capability  of  this 
arrangement  is  again  verified  by  a truth  table.  The  arrangement  generalizes  easily  to 
larger  N (one  diagnostic  filter  plus  N comparators)  and  also  to  (fail-op)  performance 
(add  the  third  channel  of  sensors  plus  comparators  to  check  against  Channel  1 or  Channel 
2).  ; 

Similar  arrangements  can  also  be  developed  using  the  super-diagnostic  filter  building 
I block.  However,  because  this  filter  isolates  individual  sensor  failures  on  its  own,  the 

^ arrangements  become  very  simple.  Only  one  super- diagnostic  filter  is  needed  in  all 

I cases.  While  this  seems  very  attractive  from  the  point  of  view  of  structure,  it  may  not 

be  justifiable  in  terms  of  complexity.  The  super-diagnostic  filter  must  compete  with  a 
few  ordinary  diagnostic  filters  and  a few  comparators  to  achieve  equal  sensor  reduction 
benefits. 

The  sensor  reduction  comparisons  of  SDF's  and  DF's  are  highlighted  in  Table  3.  The 
table  compares  the  number  of  building  blocks  required  to  achieve  minimum  sensor  sets 
and  also  shows  standard  voting  requirements.  As  we  can  see,  the  greatest  sensor 
reduction  benefit  of  analytic  redundancy,  no  matter  which  building  block  is  used,  is 
realized  for  noninterchangeable  sensors.  In  this  case,  one  diagnostic  filter  plus  2N 
comparators  achieves  the  same  benefits  as  a single  super-diagnostic  filter.  An  SDF 
which  is  more  complicated  than  this  will  not  be  competitive. 

For  the  case  of  interchangeable  sensors,  the  total  sensor  reduction  benefits  are  smaller 
and  more  diagnostic  filters  are  required  to  match  the  super-diagnostic  filter.  Again, 
however,  very  complicated  SDF's  will  not  be  competitive.  As  will  be  shown  later, 
several  analytical  redundancy  schemes  proposed  in  the  literature  violate  these  competi- 
tive realities. 

Reversion  Modes --So  far  we  have  treated  only  uniform  redundancy  schemes.  All  sensors 

2 

had  the  same  fail-op  or  (fail-op)  requirements.  This  is  not  typical  of  today's  flight 
control  systems.  Rather,  high  levels  of  redundancy  are  usually  required  for  critical 
inner  loops  with  lower  levels  for  outer  loops.  Flight  operations  consisting  only  of  inner 
loops  are  then  treated  as  "reversion  modes"  in  the  overall  failure  management  scheme. 


17 


TABLE  3.  SENSOR  REDUCTION  COMPARISONS  FOR 

ANALYTICAL  REDUNDANCY  BUILDING  BLOCKS 


No.  of 
8DF's 

No.  of 
DF’s 

No.  of 

Comparators 

No.  of 
8ensors, 

( fail -op) 

Interchangeable  8ensors 

Detection  with  8DF's 

1 

0 

0 

N+2>i‘ 

with  DF's 

0 

i:iog2(N+3)] 

0 

N+2* 

with  Voting 

0 

0 

N+4 

N+3 

Noninterchangeable  8ensors 

Detection  with  8DF's 

1 

0 

0 

3N‘i‘ 

with  DF's 

0 

1 

2N 

3N‘i' 

with  Voting 

0 

0 

3N 

4N 

2 

’^‘Minimum  (fail-op)  requirements. 


While  details  tend  to  be  application  dependent,  the  basic  building  blocks  of  analytic 
redundancy  can  be  assembled  to  deal  with  these  situations  also.  As  an  example.  Figure 
2 shows  a failure  detection  scheme  for  a fail-op  pitch  inner  loop  with  fail-safe  attitude 
and  altitude  hold  modes.  As  in  Figure  1,  the  fail-op  function  (assuming  noninterchangeable 
sensors)  is  accomplished  with  one  diagnostic  filter  plus  N comparators.  The  diagnostic 
filter  monitors  one  channel  of  sensors  {S3j,  84^,  85^)  and  the  comparators  monitor  the 
other.  In  order  to  implement  the  reversion  modes,  however,  it  is  also  necessary  to 
detect  failures  of  the  outer-loop  instruments,  81  and  82,  individually.  This  calls  for 
enough  diagnostic  filters  to  distinguish  between  four  logic  conditions:  no  failures,  81- 
failed,  82-failed,  and  83^-,  84^-,  or  85 j -failed.  Hence  the  number  of  filters  must  be 

M “ tlog2  (No.  of  logic  conditions)]  = 2 

This  formula  is  a generalization  of  the  one  derived  earlier  and  can  be  used  to  determine 
the  minimum  number  of  diagnostic  filters  required  for  various  specific  failure  detection 
problems.  Once  the  nuniber  of  filters  is  known,  the  sensor  inputs  for  each  are  deter- 
mined as  before  by  the  unit  entMes  in  rows  of  the  truth  table. 
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Building  Block  Construction — Discussed  here  is  the  problem  of  actually  constructing 
computer  algorithms  which  perform  diagnostic  or  super-diagnostic  filter  functions.  The 
principle  of  operation  for  each  case  is  the  same — test  whether  actual  sensor  outputs 
satisfy  known  functional  relationships  which  exist  between  the  sensors.  The  sensors  are 
healthy  if  the  relationships  are  satisfied;  they  have  failed  somewhere  if  the  relationships 
are  violated. 

In  mathematical  terms,  the  known  relations  between  sensors  usually  take  the  form  of 
state  equations,  i.  e. , 

5c  = f(x,  u^)  + ? 

“ = “c  ^ \ 
y = h(x)  + 11^ 

Here  the  sensors  are  assumed  to  measure  noise-corrupted  inputs,  u = u^  + T)^,  and 
noise-corrupted  outputs,  y = h<x)  + T|j^,  of  the  dynamic  system  5c  = f(x,  u^)  + 5 . The 
problem  is  to  test  whether  measured  inputs  and  outputs  are  consistent  with  constraints 
imposed  by  the  dynamic  system. 

Possible  tests  for  consistency  can  range  all  the  way  from  simple  signal  blenders  to  full- 
fledged  extended  Kalman  filters.  Suppose,  for  example,  that  we  use  our  knowledge  of 
the  dynamics  to  combine  the  inputs  and  all  but  one  of  the  output  signals  in  such  a way  as 
to  predict  the  remaining  output.  In  addition,  we’ll  use  an  ordinary  comparator  to  test 
consistency  of  the  predicted  output  with  the  actual  one.  Failures  of  any  sensor 
should  then  produce  a miscomparison,  and  it  follows  that  we  have  built  a diagnostic 
filter.  * Its  construction  would  be  called  "signal  blending"  in  classical  terminology  or 
"observer  design"  in  modern  systems  language. 

The  "observer  design"  approach  in  fact  offers  a complete  hierarchy  of  diagnostic  filters. 
This  is  illustrated  in  Figure  3.  At  the  bottom  of  the  hierarchy  is  a low-order  observer 
of  the  type  just  discussed.  Above  it  are  higher-order  observers  which  blend  one  subset 


^This  is  only  a conceptual  argument,  of  course.  Whether  such  a filter  would  actually 
produce  strong  enough  miscomparisons  for  failure  detection  in  noise  is  a key  design 
question  which  must  still  be  answered  for  each  application. 
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of  signals  to  predict  and  test  consistency  with  another  subset.  At  the  very  top  of  the 
hierarchy  is  the  (extended)  Kalman  filter  which  blends  all  signals  and  uses  consistency 
tests  of  the  filter's  residuals  for  failure  detection.  Some  specific  examples  of  residual 
tests  will  be  discussed  later. 

Figure  3 highlights  the  fact  that  a wide  range  of  complexity  is  possible  in  diagnostic 
filter  construction.  The  most  cost-effective  filter  can  only  be  determined  by  detailed 
design  studies  on  specific  applications.  This  becomes  even  more  apparent  for  super- 
diagnostic filter  construction.  For  these  more  powerful  building  blocks  there  seems  to 
be  no  unifying  design  approach.  The  literature  suggests  very  sophisticated  residual 
tests  to  isolate  individual  sensor  failures,  hypothesis  testing  with  banks  of  filters, 
modified  Kalman  filter  designs,  parameter  identification  formulations,  and  so  forth. 
These  are  discussed  in  the  next  section  which  surveys  specific  analytic  redundancy 
techniques  proposed  in  the  literature. 

2.2.2  Specific  Analytical  Redundancy  Techniques 

Thus  far  in  our  technical  discussion  we  have  defined  the  sensor  reduction  problem, 
discussed  various  ways  for  reducing  numbers  and  types  of  sensors,  and  identified  a 
diagnostic  filter  as  a general  building  block  for  using  functionally  related  data.  We  noted 
that  the  diagnostic  filter  can  give  a “yes"  or  “no"  decision  regarding  the  "health"  of  the 
sensor  data  it  is  processing.  We  also  identified  a super-diagnostic  filter  which  can 
isolate  individual  sensor  failures  from  the  set  of  sensor  data  it  is  processing.  We 
further  noted  that  a super- diagnostic  filter  can  be  constructed  from  a collection  of 
diagnostic  filters  and  a simple  truth  table  and  that  this  places  an  upper  limit  on  the  viable 
complexity  of  super-diagnostic  filters.  The  following  subsection  summarizes 
specific  analytical  redundancy  concepts  which  have  been  proposed  and  analyzed  in  the 
literature.  As  shown  in  Table  4,  these  specific  concepts  fall  into  three  major  categories: 
assemblies  of  diagnostic  filters,  specific  diagnostic  filter  designs,  and  explicit  super- 
diagnostic filter  designs. 

2.2.3  Failure  Detection  with  Assemblies  of  Diagnostic  Filters 

An  example  of  combining  diagnostic  filters  into  a fault  detection  and  isolation  algorithm 
is  given  by  Hartmann  and  Stein  (Reference  8).  The  objective  of  this  design  is  to  make 
dual  pitch-axis  inner-loop  sensors  fail-operative.  Therefore,  only  a single  Kalman 
filter  is  required  as  a diagnostic  device.  The  system  is  being  applied  to  the  NASA  F-8 
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TABLE  4,  FAULT  DETECTION  CONCEPTS’!' 


Failure  Detection  with  Assemblies  of  l)l-'s 
6 7 

Meier,  et  al..  Maybeck  - Uses  Kalman  filter  as  a 1)F 

g 

Hartmann.  Stein  - Uses  Kalman  filter  as  a l)F 

q 

Clark,  ct  al.  - Uses  observer  as  a 1)F 


Specific  l)F  Design  Techniques 

Kerr**^  - Uses  an  augmented  suljoptimal  Kalman  filter  as  a I)F 

F-4  DFB»V  ^ - Uses  simple  blenders  as  a 1>F 

Mehra-Peschon* * - Proposes  several  residual  tests  for  a 
Kalman  filter 


Explicit  SDF  Design  Techniques 

• Hypothesis  testing  methods: 

1 2 1 3 14 

Montgomery  et  al. ; ‘ Athans -Willner 

t S 16 

Lainiotis;  Huxbum-Haddad 

• Parameter  identification-. 

11  17 

Mehra-Peschon;  Stein 

• General  likelihood  ratio  methods: 

1 8 Id  20 

vVillsky,  et  al.;  ' IJeyst -Deckerl 

21  22 

McAulay-Denlinger;  Sanyal-Shen 

• Modified  Kalman  filter  designs: 

Jones;  Beard 

• Jump  processes: 

„ . 25,26  „ , 27  28  „ . 29 

Sworder;  Katner;  Pierce;  Davis; 

„ 30  31 

McCarty;  Chien 


-Superscripts  indicate  reference  numbers, 

DFBW.  Its  intended  structure  Is  shown  in  Figure  4 where  it  is  noted  that  the  DF  is  used 
to  resolve  sensor  failures  following  a miscompare.  The  DF  is  a two-state  representation 
of  the  short-period  dynamics.  The  states  are; 

Q — pitch  rate 


*^gust  — angle -of-attack 
g/U  — trim  or 


m^  --trim  pitching  moment 
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Figure  5.  Diagnostic  Filter  for  F-8  DFBW 


Results  from  this  design  demonstrate  good  failure  detection  and  isolation  when  used  with 
comparison  monitors,  thus  providing  a fail-operational  capability  for  dual  sensor  sets. 
Classes  of  failures  examined  were  dead,  hardover  and  stuck  sensors,  and  sensor  scale 
factor  changes. 

Failure  detection  was  also  achieved  using  only  analytical  redundancy  techniques  without 
dual  sensor  channels,  thus  providing  a fail-safe  single  sensor  set. 

2.2.4  Specific  Diagnostic  Filter  Design  Techniques 

An  example  of  designing  a filter  to  check  the  operation  of  a specific  sensor  is  provided 
by  Kerr  (Reference  10).  This  study  developed  a special  residual  testing  procedure  for 
diagnostic  Kalman  filters.  The  procedure  is  intended  primarily  for  filters  which  are 
known  to  be  suboptimal  (1.  e. , reduced  order)  and  hence  do  not  produce  "white"  residuals 
by  definition.  This  is  an  Important  twist  on  standard  theory  since  reduced-order 
models  may  be  desirable  (or  mandatory)  in  many  applications.  Basically,  a low-order 
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Kalman  filter  is  augmented  with  a few  "failure  states"  and  a function  of  the  filter  residuals 
is  used  to  decide  when  a departure  from  a no-failure  confidence  region  has  occurred. 

This  concept  warrants  further  investigation  for  flight  control  application.  A potential 
problem  is  that,  if  the  sensor  failure  modes  require  adding  many  failure  states,  a high- 
order  filter  results. 

Advanced  Fighter  (F-4  DFCS)--A  study  on  the  F-4  DFCS  (Reference  5)  suggested  a number 
of  diagnostic  filter  techniques  based  on  "data  reasonableness"  checks.  These  are  basically 
simple  blenders  (observers)  that  estimate  one  sensor  output  based  on  other  functionally 
related  sensors.  They  were  developed  using  simple  physical  relationships  and  provide 
comparisons  over  some  intermediate  frequency  range.  Conceptually,  these  types  of 
DF  elements  are  the  least  complex  and  will  be  attractive  for  that  reason.  Specific 
blenders  performed  the  following  functions: 

• Pitch  rate  estimation  from  two  physically  separated  accelerometers  i 

• Rate  derivation  from  attitude  references.  This  is  also  used  in  the  shuttle 
flight  control  for  tie  breaking  following  a gyro  failure.  The  NASA 
F-8  DFBW  Phase  I system  also  used  this  technique  for  obtaining  rates. 

• Rate  and  acceleration  predictions  from  surface  deflections 

These  schemes  are  attractive  for  their  simplicity.  Their  performance  remains  to  be 
thoroughly  evaluated. 

In  addition  to  the  above  schemes,  there  are  a number  of  simple  "blenders"  that  can  be 
devised  using  the  equations  of  motion.  We  have  categorized  these  as  observers /blenders 
since  both  are  designed  without  requiring  a description  of  measurement  noise  or 
stochastic  disturbances  (gusts).  An  example  of  a "blender"  is  illustrated  in  Figure  6 
where  normal  acceleration  (n^)  is  computed  from  two  alternate  relationships.  A dis- 
agreement indicates  that  one  (or  more)  of  the  input  signals  is  in  error.  (Here  and 

Z might  be  scheduled  with  air  data. ) 

6 

Mehra-Peschon  (Reference  Il)--Thl8  report  provided  a survey  of  various  residual  tests 
for  diagnostic  Kalman  filters.  The  basic  approach  is  to  treat  fault  detection  via  hypothe- 
sis testing,  where  normal  operation  is  the  null  hypothesis  and  the  error  signal  (or 
residuals)  are  tested  against  this  hypothesis.  Tests  that  apply  are: 
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Figure  6.  Blender  for 


1.  Tests  of  whiteness.  The  residuals  should  be  uncorrelated  at  different 
time  instants: 

• Autocorrelations 

• Sample  correlation  coefficients 

• Tests  of  independence  between  different  components  of  the  error  vector 

2.  Tests  of  mean.  Compare  sample  mean  with  zero. 

3.  Tests  of  covariance.  Compare  covariance  of  residuals  with  an  a priori  value. 

Another  possibility  not  mentioned  would  be  testing  the  orthogonality  of  the  residual  and 
the  estimated  measurement. 

Ebcplicit  Super-Diagnostic  Filter  Design  Techniques — Table  4 shows  that  the  largest 
volume  of  research  literature  in  analytical  redundancy  is  devoted  to  super-diagnostic 
filters.  This  is  natural  because  these  building  blocks  pose  the  most  significant  theo- 
retical construction  problems.  At  the  same  time,  however,  they  have  ready  competitors 
(as  seen  in  Table  3)  which  sharply  restrict  the  allowable  complexity  of  viable  designs. 
Five  design  approaches  have  been  pursued  to  date  for  super-diagnostic  filters: 

• Multiple  hypothesis  tests 

• Parameter  identiftcation 

• Generalized  likelihood  ratio  methods 
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• Modified  filter  designs 

• Jump  process  estimation 

The  status  and  principal  features  of  each  are  briefly  discussed  below. 

Multiple  Hypothesis  Tests — This  approach  is  based  on  Bayesian  statistical  decision  theory. 
The  various  failure  conditions  of  individual  sensors  are  used  to  define  a set  of  hypotheses: 

Hq  : No  failures 

Hj  : + Gyro  hardover 

Hg  : - Gyro  hardover 

Hg  : Gyro  spinmotor  inoperative 

etc. 

Each  hypothesis  is  then  tested  against  observed  input/output  measurements.  The  test 
involves  a Kalman  filter  operation  which  generates  sensor  residuals  under  the  assumption 
that  a particular  hypothesis  is  true.  These  residuals  are  accumulated  into  likelihood 
functions,  and  the  minimum  likelihood  is  selected  to  identify  the  currently  valid  hypothesis. 

This  approach  has  been  studied  extensively  at  NASA's  Langley  Research  Center,  with 
promising  performance  results  on  their  F-8  simulator.  However,  complexity  has  so 
far  ruled  the  concept  out  even  for  such  powerful  flight  computers  as  the  F-8's  APIOI. 

This  problem  is  evident  in  Figure  7 which  shows  a block  diagram  of  the  algorithm.  One 
Kalman  filter  is  needed  to  test  each  hypothesis.  This  produces  a large  bank  of  filters, 
even  for  modest  collections  of  failure  modes.  Since  each  of  these  filters  is  itself  equal 
to  a diagnostic  filter  in  capability  and  complexity,  it  follows  from  earlier  discussions 
that  the  approach  represents  an  inefficient  assembly  of  building  blocks. 

Parameter  Identification — This  approach  uses  explicit  on-line  parameter  identification 
to  detect  individual  sensor  failures.  Critical  parameters  of  each  instrument  (for  example, 
gain  and  bias)  are  selected  as  unknowns  and  estimated  from  input/output  data.  When 
these  estimates  deviate  substantially  from  nominal  values,  a failure  is  declared.  This 
approach  was  suggested  originally  by  Mehra  and  Peschon  (Reference  11)  for  the  F-8 
DFBW  aircraft. 
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Figure  7.  Multiple  Hypothesis  Test  SDF 


Viability  of  the  approach  depends  largely  on  the  complexity  of  the  required  identification 
algorithm.  For  example,  if  a one-step  maximum  likelihood  identification  procedure  is 
used,  the  overall  super-diagnostic  filter  algorithm  will  look  like  Figure  8.  In  structure, 
it  matches  the  multiple  hypothesis  test.  A bank  of  sensitivity  calculations  is  required 
to  evaluate  likelihood  gradients  with  respect  to  the  unknown  sensor  parameters.  Large 
gradients  indicate  failed  conditions.  One  sensitivity  calculation  is  required  per  parameter, 
and  each  calculation  approximately  matches  the  complexity  of  a Kalman  filter.  Hence, 
the  approach  not  only  looks  like  but  also  tends  to  be  as  inefficient  as  the  multiple  hypo- 
thesis test.  Other  identification  algorithms  are  under  investigation  to  reduce  this 
complexity. 

Generalized  Likelihood  Ratio  Methods --Largely  in  response  to  the  complexity  of  multiple 
hypothesis  tests,  a separate  direction  of  failure  detection  research  has  been  pursued 
by  Willsky  and  Jones  (Reference  19).  This  work  begins  with  the  constraints  that  only 
one  Kalman  filter  will  be  available  and  that  individual  sensor  failures  must  be  detected 
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Figure  8.  Parameter  Identification  SDF 

by  monitoring  residuals  from  that  filter  alone.  Hence,  the  research  seeks  a residual 
testing  procedure  powerful  enough  to  turn  ordinary  diagnostic  filters  into  super-diagnostic 
filters.  Results  show  that  this  can  indeed  be  done  for  a large  class  of  failures. 

Failures  which  can  be  detected  from  residuals  of  a single  Kalman  filter  are  those  which 
leave  recognizable  "signatures"  when  they  occur,  i.e. , characteristic  transients  in  the 
residuals  which  can  be  recognized  by  correlation-like  data  processing.  Examples  are 
momentary  jumps  and  step  changes  produced  by  open  circuits  or  hardover  failure 
conditions.  These  conditions  are  detected  by  statistically  correlating  the  residuals  with 
known  signatures.  The  correlations  are  normalized  by  their  expected  no-failure  value 
and  then  compared  to  preset  threshold  levels.  If  a particular  normalized  correlation 
(likelihood  ratio)  is  sufficiently  high,  the  corresponding  failure  event  is  declared. 

A block  diagram  of  the  resulting  super-diagnostic  filter  is  shown  in  Figure  9.  This  dia- 
gram illustrates  the  potential  complexity  advantages  of  the  generalized  likelihood  ratio 
approach.  Only  one  Kalman  filter  is  required  to  drive  a bank  of  (potentially)  simple 
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Figure  9.  Generalized  Likelihood  Ratio  SDF 


correlation  operations.  We  should  recognize,  however,  that  at  the  present  state  of 
development  the  correlation  operations  themselves  are  fairly  complex. 

Both  the  time  of  occurrence  and  the  magnitude  of  each  signature  are  treated  as  unknowns, 
so  the  correlation  process  must  perform  a maximization  operation  over  these  variables 
before  normalization  and  threshold  comparison  can  take  place.  Simplification  procedures 
for  these  operations  are  being  Investigated. 

Modified  Filter  Design- -Like  the  generalized  likelihood  ratio  method,  this  approach  also 
starts  with  iho  constraint  of  permitting  only  one  Kalman  filter  in  the  building  block. 
However,  it  does  not  treat  the  filter  as  a flxed  element  which  accepts  whatever  failure 
signature  it  produces.  Rather,  the  approach  attempts  to  alter  the  filter  gains  in  such  a 
way  that  failures  produce  strong,  easily  recognizable,  and  readily  distinguishable  signa- 
tures. While  the  state  of  development  of  this  Idea  is  still  largely  theoretical,  it  offers 
a high  potential  for  Improving  ine  detection  capability  of  super-diagnostic  filters. 
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Jump  Process  Estimation — This  approach  is  also  in  an  early  stage  of  theoretical  develop- 
ment. The  idea  is  to  represent  failures  as  randomly  occurring  jump  processes  in  an 
otherwise  known  stochastic  system  and  to  estimate  times  of  occurrence  and  magnitude  of 
these  jumps  with  optimal  stochastic  filtering  theory.  Solutions  turn  out  to  be  infinite 
dimensional  filters,  and  the  research  literature  is  now  concentrating  on  ways  to  approxi- 
mate these  filters  without  losing  too  much  performance.  Results  from  this  direction  of 
research  require  more  development  before  they  can  be  applied. 

2.3  FEASIBILITY 

So  far  we  have  discussed  the  general  concept  of  analytical  redundancy  and  the  various 

specific  approaches  which  have  been  taken  in  the  literature.  The  next  obvious  question 

is  whether  these  ideas  are  actually  practical  for  real-world  flight  control  systems.  A 

complete  answer  has  not  been  available;  therefore,  the  question  represents  the  main 

point  of  this  study.  We  have,  however,  done  some  preliminary  feasibility  analyses  to 

indicate  that  the  study  has  a high  potential  for  success.  > 

To  assess  feasibility,  we  analyzed  two  requirements;  performance  (how  well  does  an 
analytical  redundancy  concept  have  to  work  to  be  worthwhile),  and  computer  resources 
(how  much  of  a typical  flight  computer's  capability  would  be  required  to  mechanize  a 
representative  concept).  Both  analyses  show  reasonable  results. 

2.3.1  Performance 

Performance  requirements  are  most  easily  addressed  in  cases  where  analytical  redun- 
dancy is  applied  to  effectively  eliminate  one  channel  of  sensors,  i.  e. . reduce  quad  to 
triple,  triple  to  dual,  etc.  In  each  case  the  necessary  function  is  to  isolate  the  failure. 

Taking  the  quad  case  as  an  example,  the  usual  approach  to  management  of  the  set  of  j 

four  is  to  isolate  the  first  and  second  failed  sensors  by  majority  vote,  with  the  third  i 

failure  (sensed  by  a miscomparison  between  the  remaining  two  sensors)  resulting  in  total  | 

disengagement.  If  the  monitoring  process  is  perfect,  the  probability  of  total  failure  of 

3 

the  set  is  approximated  by  4Q^,  where  is  the  probability  of  failure  of  one  of  the 
sensors  in  the  selected  time  period.  Under  the  same  assumption,  the  probability  of 

2 I 

failure  of  any  two  sensors  is  6Q  , a number  of  significance  to  mission  abort  calculations.  ! 

® i 
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In  terms  of  current  sensor  failure  rates,  the  above  probabilities  are  exceedingly  small 

-4 

numbers.  Taking  a rate  gyro  as  an  example  with  a failure  rate  of  about  10  per  hour 
(one  of  the  worst  of  the  sensor  failure  rates), 

4Q^  = 4 X lO"^^ 
s 

6Q^  = 6 X 10‘® 
s 

where  each  applies  to  a one-hour  flight.  Typical  flight  control  system  requirements  for 

-7  -3 

total  failure  and  mission  abort  are  on  the  order  of  10  and  10  , respectively,  for  a 

one-hour  flight.  Assuming  10  quad  sets  of  sensors  and  conservatively  allocating  only 

one-tenth  of  the  system  failure  requirements  to  the  sensors,  per  sensor  set  requirements 
-9  -5 

of  10  for  total  failure  and  10  for  a dual  failure  (mission  abort)  result.  Consequently, 
the  quad  sensor  set  (with  perfect  monitoring)  exceeds  requirements  by  about  two  orders 
of  magnitude. 

If  a majority-voted  triple  set  were  hypothesized  instead  of  the  quad,  however,  the  associ- 

2 

ated  flight  safety  and  mission  abort  probabilities  of  3Q  and  3Q  would  produce  values 
-8-4  s s 

of  3 X 10  and  3 x 10  , respectively,  failing  to  meet  above  requirements  by  a factor 

of  30.  The  situation  is  simply  that,  with  conventional  comparison  monitoring,  triple  is 

not  good  enough  and  quad  is  too  good. 

Complicating  the  above  argument  (and  changing  some  of  the  conclusions)  is  the  issue  of 

imperfect  monitoring,  which  in  itself  is  difficult  to  deal  with  quantitatively.  One  attempt 

to  do  so  argues  that  an  undetected  failure  may  cause  quad  set  failure  after  the  second 

sensor  failure  (instead  of  after  the  third),  producing  an  added  total  failure  contribution 
2 

of  6Q  Q , where  Q is  the  probability  of  having  the  first  failure  occur  without  being 
s m m ^ 

detected  and  where  both  of  the  actual  sensor  failures  are  alike.  The  results  of  such  a 
combination  of  events  is  that  the  quad  voting  logic  cannot  decide  between  two  good  like- 
sensors  and  two  bad  like-sensors.  A common  example  of  this  situation  is  when  two 
sensors  fall  dead  in  an  interval  where  monitors  fail  to  trip  due  to  insufficient;  control 
activity  (e.g. , cruise).  There  are  no  data  available  to  assign  numbers  to  but  a 
parametric  study  of  its  potential  effects  shows  that  it  is  a significant  and  probably  a 

dominant  contributor  to  total  failure  rate.  For  example,  speculated  values  for  Q are 

-2  2 -9 

on  the  order  of  10  , making  the  term  (again  for  a rate  gyro)  equal  to  6 x 10 

for  the  one-hour  flight.  Just  within  requirements.  With  imperfect  monitoring  considered, 

the  quad  set  may  no  longer  be  "too  good,  " but  Just  good  enough. 
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The  relevance  of  the  above  discussion  to  analytical  redundancy  requirements  lies  primarily 

in  the  notion  that  imperfect  monitoring  (an  element  of  redundancy  mismanagement)  is 

probably  the  pacing  cause  for  failure  of  highly  redundant  sensor  sets.  The  quality  of  the 

required  analytical  diagnostics  must  be  viewed  in  this  perspective.  Consider,  as  an 

example,  an  analytical  redundancy  application  wherein  triple  sensors  are  to  be  configured 

for  dual-fail-op  performance.  The  first  failure  will  be  "voted  out"  by  comparison  logic. 

The  second  failure  will  be  detected  by  comparison  monitoring  and  isolated  by  diagnostics. 

3 2 2 

The  resulting  total  failure  rate  is  + 3Q^Qj^,  where  3Q^  represents  the  probability  of 

a dual  sensor  failure  and  is  the  probability  of  failure  of  the  diagnostics  to  pick  the 

^ -9 

bad  sensor.  Judging  the  second  term  to  be  dominant  and  equating  it  to  be  the  10  require- 
ment speculated  above, 

or  = 0.033  for  a rate  gyro  set.  This  means  that  the  diagnostics  must  be  correct  in 
about  97  percent  of  the  decisions  made  to  distinguish  a good  sensor  from  a bad  sensor. 

This  performance  appears  feasible.  Note  that  the  source  of  failure  experienced  in  the 
conventional  quad  set  due  to  imperfect  monitoring  is  also  present  in  the  above  triple  set, 
but  it  is  only  half  as  probable  in  the  triple.  It  may  simply  be  included  as  a contribution 
to  Qj^. 

In  terms  of  mission  reliability,  the  triple  set  described  above  will  be  aborted  after  the 

2 

second  failure,  a probability  of  This  is  lower  than  the  quad  set  by  a factor  of  two. 

In  summary; 

1.  The  performance  expected  from  analytical  diagnostics  must  be  based  on  a 
specific  redundancy  management  strategy  and  realistically  related  to  total 
flight  control  system  requirements. 

2.  In  specific  cases  the  required  ability  of  the  diagnostics  to  satisfy  system 
needs  appears  attainable. 

3.  Considering  the  reality  of  imperfect  monitoring,  analytical  redundancy 
techniques  are  potentially  equal  or  superior  to  conventional  quad  channel 
voting. 


2.4  MOTIVATION 


If  analytical  redundancy  is  both  technically  ready  and  feasible  in  the  real  world  of  on- 

1.  • 

board  computations,  then  the  basic  issue  is  motivation.  What  is  the  payoff? 

Total  control  system  reliability,  i.e. , not  just  sensors  but  computers  and  servos,  is  the 
ultimate  measure  of  success.  An  example  would  be  the  current  A-7D  multimode  CAS. 
Without  a fail-op  capability  (i.e. , by  analytical  redundancy  or  a third  sensor  string), 
the  mission  reliability  is  as  shown  in  Table  5,  Column  I. 

Also  shown  in  Table  5 is  the  improvement  provided  by  redundancy.  The  full  benefit  of 
sensor  redundancy,  however,  is  not  realized  until  extra  effort  is  expended  to  back  up  the 
servos  with  effective  redundancy  (perhaps  analytical).  This  is  shown  in  Column  III. 


TABLE  5.  A-7D  MULTIMODE  CAS  MISSION  RELIABILITY 


Major  Abort  Causes 


Probability  (failures  per  flight  hour) 


Case  I 

Current  A-7D 


Case  II 

95%  Sensor  Redundancy 


Case  III 
95%  Sensor  and 
Servo  Redundancy 


(a)  Either  computer  fails 
plus  95%  effective  self 
test* 


0.2  X 10 


-4 


0.2  X 10 


0.  2 X 10 


-4 


(b)  Servo  failure  in  any 
axis 


6.0  X 10 


6.0  X 10 


-4 


0.3  X 10‘ 


(c)  Gyro  failure  in  any 
axis 


6.0  X 10 


0.3  X 10 


0.3  X 10 


-4 


(d)  Normal  accelerometer 
failure 

Total 


0.4  X 10 


12.6  X 10 


-4 


0.02  X 10 


6. 52  X 10 


-4 


0.02  X 10 


0.82  X 10 


-4 


*Diagnosis  and  redundancy  scheme  are  95%  effective. 
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2.  5 CONCEPTS  SELECTED  FOR  FURTHER  STUDY 


Having  examined  and  classified  the  state-of-the-art  in  analytical  redundancy,  three 
concepts  were  chosen  which  cover  a large  breadth  of  sensor  fault  detection  and  isolation 
capabilities. 

2.  5. 1 Filter  Concepts 

Table  6 displays  the  three  basic  concepts  studied.  Concept  I specifically  attempts  to 
blend  related  sensors  into  a reconstructed  output.  An  error  signal  is  produced  when  the 
reconstructed  output  is  compared  with  the  actual  sensed  output.  Low  computational 
requirements  are  emphasized  for  later  comparisons  with  the  more  complex  Concept  II. 
Sensor  outputs  which  cannot  easily  be  reconstructed  through  kinematic  relationships 
are  ignored  (e.  g. , lateral  acceleration). 


TABLE  6.  ANALYTICAL  REDUNDANCY  CONCEPTS  SELECTED  FOR  DEVELOPMENT 


Concept 

Basic  Classification 

Complexity 

(Computer 

Requirements) 

Reference  * 
Similarity 

I 

Observer/ Blender 

Sp'‘cific  DF  Design 

Low 

F-4  DFBW® 

II 

Diagnostic  Kalman 
Filters 

Assembly  of  DF's 

Medium 

Meier^  and 
Maybeck^ 

III 

Super-Diagnostic 
Kalman  Filter 

Assembly  of  DF's 

Medium 
to  High 

Hartmann, 

Stein® 

♦Superscripts  Indicate  reference  numbers. 
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Concept  II  uses  an  assembly  of  Kalman  filters  to  produce  a complete  fault  detection 
capability  for  a given  set  of  sensors.  Extra  computational  expense  is  used  to  investigate 
fault  detection  for  difficult  sensor  combinations,  i.  e. . gain-scheduled  lateral-directional 
dynamic  equations  of  motion  to  monitor  lateral  acceleration.  Specific  sensor  anomalies 
such  as  body  rate  biases  and  scale  factors  are  also  treated  to  investigate  early  failure 
detection. 

Concept  III  addresses  the  fault  isolation  problem  as  well  as  the  detection  problem — 
producing  a super-diagnostic  filter.  No  computational  restrictions  are  imposed.  Concept 
III  is  further  distinguished  by  the  creation  of  an  error  signal  for  each  sensor  treated. 
Kalman  filters  with  gain-scheduled  longitudinal  and  lateral-directional  axes  dynamic 
equations  are  used  to  produce  linear  equations  necessary  for  isolation  of  inner-loop 
sensors  (n^,  n^.  P,  Q,  and  R)  in  maneuvering  flight. 

2.  5.  2 Monitor  Concepts 

The  choice  of  monitors  for  testing  various  error  signals  is  critical  to  performance.  Two 
basic  monitor  schemes  were  examined  for  detection  capability:  speed  of  response,  and 
meeting  the  false  alarm  criterion,  i.e.,  one  false  alarm  per  1000  flight  hours.*  Table  7 
briefly  describes  these  monitors  and  the  concepts  to  which  they  were  applied.  Section  4 
contains  a complete  development  of  these  monitors. 


This  is  used  for  individual  sensors  under  98  percent  wind  gust  conditions  (approximately 
6 fps). 
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TABLE  7.  FAULT  DETECTION  MONITORS 


Monitor  Description 

Concepts 

I.  Multiple  Trip --Delayed  Declaration 

A.  Constant  monitor  level 

II  and  III 

B.  Monitor  level  scheduled  on 

sensor  output 

I 

C.  Monitor  level  scheduled  on 

stick  input 

I.  II  and  III 

II.  Sequential  Likelihood  Ratio  Test 

A.  On  error  signals 

II  and  III 

B.  On  likelihood  functions 

II* 

’*‘Used  with  comparison  monitors  on  dual  sensors  for  fault  isolation. 
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SECTION  3 


SENSORS  AND  SENSOR  MODELING 

3. 1 VEHICLE  DYNAMICS 

Analytical  redundancy  is  based  on  combining  known  relationships  of  sensed  variables. 
These  relationships  can  be  broken  into  two  groups:  translational  equations  and  rotational 
equations. 


I.  Translational  Equations 

A.  Inertial  Velocity-Body  Velocity 

= (cos  0COS  i)U  + (sin  (j  sin  6 cos  ^ - cos  0 sin  i)V 


+ (cos  0sin  0 cos  (r+  sin  0sin  iJlW  (1) 

= (cos  0sin  (r)U  + (sin  0 sin  0sin  ♦+  cos  0 cos  (r)V 
+ (cos  0 sin  0sin  ♦ - sin  0COS  i)W  (2) 

= (-sin  0)U  + (sin  ©cos  0)V  + (cos  0 cos  0)W  (3) 

B.  Force  Equations 

U = A^  - g sin  0 - QW  + RV  (4) 

V = A^  + g cos  0sin  0-  RU  + PW  (5) 

W = A^  + g cos  0 cos  0 - PV  + QU  (6) 


where 

A = F /Mass 

X X 

A « F /Mass 

y y 

A * F /Mass 
z z 

V^  * + V^  + 
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Rotational  Ekiuations 
A.  Euler  Rates /Body  Rates 


1.  Euler  Rate  Formulation 


i = P + (Q  sin  ^ + R cos  (t)  tan  6 
e = Q cos  ^ - R sin  ^ 

If  = (Q  sin  ^ + R cos  sec  e 
2.  Body  Rate  Formulation 
P = i - if  sin  e 
Q = e cos  ^ sin  d cos  e 
R = if  cos  di  cos  e - e sin  d> 


B.  Moment  Equations 


L = P1  -R1  +QR(1  -I  )-PQl 

XX  xz  zz  yy  xz 

M . Q t PR  (I^  - + (p2  - r2) 

= VW*0'’'xz 


where 


(L.N)  = l/2pV:^S^b(Ct.C^) 
MM/SpV^S^cC^ 


3.2  SENSOR  COMPLEMENT 


The  basic  sensor  set  identified  for  fault  detection  is  as  follows: 

• Normal  acceleration 

n * -a  - G + Errors* 
z z 

m 


• Lateral  acceleration 

n = a + Errors* 

^m  y 


*Errors  include  noise,  bias,  scale  factor,  hysteresis,  environmental  effects,  response 
dynamics,  and  unmodeled  sensor  inputs. 
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• Angle-of-attack 

or  = sin  ^(W/V_)  - or  + Errors* 
m T w 

• True  airspeed 

U = U - U + Errors* 
m w 

• Altitude 

h (B  ARO)  = -Z  + Errors  * 
m e 

• Three  body  rate 

(P^.Q^.R^)  = (P.Q.R)  + Errors* 
m m m 

• Three  Euler  angles 

Errors* 

m m m 

This  represents  a realistic  set  of  motion  and  position  quantities,  identical  to  those  used 
in  the  A-7D  multimode  system  with  the  exception  of  true  heading.  which  must  be 
added  to  current  interfaces.  The  set  also  indirectly  encompasses  other  types  of  input 
variables  used  in  other  applications: 

1.  Dynamic  pressure  (q).  comparable  to  l/2pV.p  via  altitude  and  true  air  speed 
functions. 

2.  Altitude  rate  (h).  comparable  to  a blend  of  derived  altitude  rate  from  altitude, 
normal  acceleration,  pitch  attitude,  and  roll  attitude.  The  actual  function 
depends  on  the  method  used  in  deriving  altitude  rate  for  the  specific  appli- 
cation. 

3.  Mach  number  comparable  to  true  airspeed  with  an  error  of  less  than  10 
percent. 

Input  quantities  not  encompassed  by  the  sensor  set  include: 

1.  Pilot  inputs  such  as  stick  and  pedal  forces  and  position,  trim,  heading 
select,  etc. 


*Errors  include  noise,  bias,  scale  factor,  hysteresis,  environmental  effects,  response 
dynamics,  and  unmodeled  sensor  inputs. 
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2.  Error  signals  which  occur  only  when  certain  modes  are  selected  by  the  pilot, 
e.g. , altitude  hold  and  heading  hold  (i.  e. , clutched  outputs). 

Other  means  must  be  used  to  detect  faults  in  these  signals  (e.g. , in-line  testing)  or  an 
associated  failure  must  be  accommodated  by  suitable  design  features  such  as  signal 
limiting. 

3.2.1  Significance  and  Summary  of  Sensor  Modeling 

Analysis  and  verification  of  the  various  fault  tolerant  concepts  by  simulation  require 
adequate  models  of  the  sensors  or  signals  involved.  These  sensor  models  are  required 
to  contribute  pertinent  and  appropriate  dynamics  and  anomalies  to  the  problem,  as  well 
as  to  allow  the  introduction  of  sensor  failure  modes  to  evaluate  the  fault  detection  capa- 
bility of  a particular  concept.  Further,  recognition  and  identification  of  sensor  charac- 
teristics--noise  and  other  anomalies--allow  the  definition  of  monitor  threshold  or 
detection  levels  which  will  pass  these  "normal"  irregularities  but  will  still  indicate 
"failure"  when  they  should. 

It  is  possible,  of  course,  to  simulate  the  mechanization  of  a sensor  complete  with  springs, 
vanes,  spinmotors,  gimbals,  etc.  This  approach  is  particularly  appealing  if  one  considers 
the  relative  ease  of  inserting  realistic  failures  of  a sensor  into  the  simulation;  however, 
this  approach  was  not  used.  Instead,  this  study  relied  on  analytical  models- -transfer 
functions--coupled  with  superposition  of  the  fault. 

In  all  cases  of  sensor  modeling,  an  attempt  is  made  to  generalize  the  model.  That  is, 
specifics  which  would  make  the  sensor  unique  to  a given  vehicle  are  avoided.  Also, 
wherever  possible  and  without  giving  up  the  desired  generality,  the  sensor  data  associated 
with  the  A-7D  Multimode  DFCS  are  used.  A case  in  point  is  the  bandwidth  and  damping 
ratios  assumed  for  the  A-7D  analytical  sensor  models,  all  of  which  are  considered  to 
be  representative  of  typical  fighter  aircraft  sensors. 

3.2.2  Simulation  Modeling  Approach 

The  normal  sensor  operating  characteristics  outlined  in  Table  8 include  a definition  of 
appropriate  sensor  dynamics,  i.e. , frequency  and  damping  ratios  for  use  in  idealized 
second-order  modeling.  It  is  seen  that  the  sensor  bandwidths  are  from  5 to  50  hertz, 
much  greater  than  the  approximately  2 Hz  bandwidth  expected  to  be  used  in  the  fault 
tolerant  monitor  concepts. 
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TABLE  8.  MODEL  PARAMETER  VALUES  FOR  NORMAL  OPERATING  SENSORS 


*Units  same  as  sensor 


In  the  following  discussions,  normal  and  faulted  sensor  models  for  the  simulation  are 
presented.  They  will  be  implemented  digitally  but  are  shown  in  block  diagram  format 
for  better  visualization. 

3.2.3  Normal  Operating  Characteristics  Modeling 

Each  sensor  model  will  include  those  errors  considered  normal  or  acceptable  for  a 
population  of  sensors: 

• Scale  factor  error 

• Null  error 

• Alignment  (cross-axis  sensitivity)  error 

• Noise 

A basic  difference  between  fault  tolerant  concepts  is  the  means  of  accommodating  these 
errors  while  indicating  faults  for  genuine  failures.  The  simplest  concepts  use  monitor 
thresholds  statistically  fixed  to  fit  the  sensor  population  while  the  more  sophisticated 
concepts,  through  predictive  techniques,  set  thresholds  to  suit  the  given  sensor  set. 

Comparative  evaluations  of  fault  tolerant  concepts  use  identical  "seeded"  values  of 
the  above  anomalies.  Figure  10  is  a simplified  mathematical  model  of  the  normal  sensor 
operating  characteristics.  Table  8 shows  the  variations  in  parameters  appropriate 
to  the  normal  sensor. 

3.2.4  Fault  Categories 

As  a first  step,  faults  are  categorized  as  open-loop  or  closed-loop. faults.  In  the  case 
of  open-loop  faults,  the  sensor  can  be  assumed  to  be  out  of  the  loop,  and  its  normal  out- 
put can  be  replaced  by  something  completely  independent  of  its  input.  Faults  in  this 
category  may  include: 

1.  Zero  output  (dead  sensor) 

2.  Step  output  to  maximum  level  (hardover) 

3.  Stuck  at  transient  value  (stuck  output) 

4.  Drift  or  randomly  varying  output 
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Figure  10.  Generalized  Simulation  Model  of  Normal  Sensor  Operating  Characteristics 


These  faults  are  introduced  to  the  problem  in  the  open-loop  fashion  described.  Also, 
turbulence  and  unmodeled  structural  noise  are  assumed  to  be  missing  from  the  output. 

Closed-loop  faults  are  based  on  the  assumption  that  the  sensor  output  is  following  the 
iiiput.  but  with  errors  added  or  superimposed.  This  list  includes: 

5.  Hysteresis 

6.  Low  (or  high)  gain  (scale  factor) 

7.  Bias  or  null  offsets 

8.  Stiction  or  deadspot 

9.  Misalignment  (cross-axis  coupling) 

10.  Noise 

11.  Resolution 

All  of  the  above  items  are  present,  to  some  degree,  in  a normal  sensor.  They  become 

"faults"  when  they  exceed  their  nominal  values  and  become  dominant  terms  in  the  error 
equations. 

Statistical  summations  of  the  nominal  values  were  used  for  the  closed-loop  character- 
istics given  above  to  determine  the  detection  levels  in  the  various  monitors. 

In  our  simulations  the  following  fault  categories  were  used  to  exercise  the  fault  detection 
monitors; 

1 . Zero  output 

2.  Hardover 

3.  Gain  error 

4.  Bias 

5.  Other  (as  specific  to  sensor,  e.g. , dynamic  response  of  accelerometers) 

It  will  be  shown  that  the  first  four  fault  categories  above  represent  about  90  to  95  percent 
of  the  expected  failures  in  typical  rate  gyro  and  accelerometer  assemblies.  Further,  all 
the  earlier  listings  of  potential  failure  categories  are  shown  to  be  embodied  or  represented 
since  many  potential  faults  are  merely  variations  of  gain  or  bias  errors. 
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Of  particular  interest  is  field  and  analytical  experience  with  the  various  sensors.  In 
general,  it  is  difficult  to  accumulate  this  information.  Furthermore,  the  data  will 
generally  reflect  the  failure  modes  of  associated  electronics  as  well  as  the  actual  sensor. 
Analysis  of  the  resultant  sensor/circuitry  will  usually  result  in  the  conclusion  that  any 
failure  mode  is  possible.  An  attempt  was  made  to  assemble  data  to  determine  the 
probability  of  failure  modes  by  examining  test  data  and  Failure  Mode  and  Effects  Analyses 
[ (FMEA).  Table  9 is  such  a compilation  for  a three-axis  rate  gyro  package,  a three- 

sensor normal  accelerometer  package,  and  a two-sensor  lateral  accelerometer  package. 


TABLE  9.  FAILURE  MODE  AND  EFFECTS  ANALYSIS  (FMEA) 
FOR  HIGH  PERFORMANCE  JET  AIRCRAFT 


Failure  Mode 

System 

1 

3 Axis  Gyro 

1 

3 Unit 

2 Unit 

Package 

Normal 

Lateral 

(Spring  Restrained) 

Acceleration 

Acceleration 

(Pendulous) 

(Force  Rebalance) 

Failure  Rate  of  Assembly 

14.5$^ 

5.  13  51^ 

3.4251^ 

(Including  Electronics) 

1000  hr 8 

1000  hr 8 

1000  hrs 

Failures: 

1.  Zero  or  very  low  gain 

75.651 

1 

.li 

2.  Very  high  gain 

0.4 

0. 

.3 

3.  Moderate  high  gain 

1.1 

0. 

.2 

4.  Moderate  low  gain 

1.3 

0 

.9 

5.  Dynamic  response 

3.4 

11 

.3 

6.  Null  offset  out  of  spec 

1.2 

17 

.4 

7.  Hardover 

16.5 

68. 

.8 

8.  Mech  play,  hyst,  stuck 

- 

- 

9.  Self-test  failure 

0.5 

- 

lOO.Of 


100.  0)1 
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Table  10  groups  the  data  from  Table  9 into  our  five  fault  categories.  Also  included  are 
air  data angle-of-attack  and  attitude  gyro  fault  categories.  Fault  data  for  these  sensors 
are  more  scarce  than  rate  gyro /accelerometer  percentages;  therefore,  the  degree  of 
confidence  is  lower. 

A generalized  fault  model  to  be  simulated  is  shown  in  Figure  11  with  parametric  fault 
values  and  model  states  shown  in  Table  11. 


TABLE  10.  SUMMARY  OF  SENSOR  FAILURE  MODES 


Fault 

Category 

Spring  (1;,(2) 
Restrained 

Gyro 

Pendulous 

Force  Rebalance 
Accelerometers 

Air  Data  Comp, 
True  Airspeed 

(3) 

Altitude 

1,  Zero  output 

761? 

IIK 

34^ 

21  ^ 

2,  Hardover 

17 

69 

5 

6 

3.  Gain  errors 

3 

1 

\ 

4.  Null  or  bias 

1 

18 

i 61<^> 

► 73^^^ 

5.  Other 

3 

11 

* 

100 

100^ 

100 

100  ?{ 

NOTES; 

(1)  By  similarity,  the  gyro  failure  modes  shown  will  be  assumed  for 
platform  attitude  signals  0,  e, 

(2)  The  angle  of  attack  sensor,  assumed  to  be  the  vane  type,  will  use  the 
gyro  failure  modes  shown  since  zero  output  is  expected  to  be  the  dom- 
inant fault.  Null  offsets  or  biases  would  be  common  for  pressure 
balance  types. 

(3)  Exclusive  of  Air  Data  Computer  inputs  (static  and  total  pressure  and 
total  temperature). 

(4)  Listed  In  data  source  as  "degraded."  We  will  assume  equal  distribu- 
tion between  gain  and  null  errors. 


TABLE  11.  MODEL  PARAMETER  VALUES  FOR  SENSOR  FAILURE  MODES 


''FaulT'"^ 

Sensor 

Pm 

(deg/soc) 

m 

(deg/sect 

R 

ni 

(dog/ sect 

n 

z 

ni,  . 

n 

^m. 

e 

m 

(deg> 

e 

m 

(deg) 

m 

(deg) 

V 

m 

(ft/sec) 

li 

ni 

(ft) 

a 

ni 

(di'R) 

Zoro 

SW  at  B 

X 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

Output 

Uardovvr 

Op**n-Loop 

200 

30 

30 

10 

0.  5 

180 

180 

3(>0 

1.000 

50. 000 

;to 

Sensor 

197 

-1. 000 

-10 

Bias 

SW  at  A 

1 1 

Scale 

Closed 'Loop 

*^SF 

1 1 

Factor 

Sensor 
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3.  3 SENSOR  DATA 

3.3.1  Normal  Operating  Characteristics 

Gain,  Null  and  Alignment  Error3--From  various  sources  (manufacturers'  specifications, 
procurement  specifications,  etc. ) for  similar  applications  (e.  g. , F-18,  F-14,  JA-37), 
errors  and  tolerances  for  the  selected  sensors  have  been  established.  These  are  sum- 
marized in  Tables  12  through  15.  The  valuei:  shown  are  felt  to  be  typical  of  high 
performance  aircraft  equipment.  The  applicability  to  the  A-7D  Multimode  DFCS  is 
seen  from  comparison  of  total  errors  to  Multimode  DFCS  monitor  thresholds  (Tables  12 
^uid  13).  Comparison  monitor  threshold  for  two  like  sensors  would  be  the  RSS  of  the 
two  individual  errors. 

Gain,  null,  and  alignment  errors  are  shown  ih  their  component  parts;  however,  the 
RSS  totals  of  each  are  used  in  the  sensor  models. 

Noise — It  is  generally  acknowledged  that  any  sensor  output  will  contain  elements  categor- 
ized as  noise,  that  is,  external  corruption  independent  of  the  quantity  being  measured. 
However,  universal  agreement  on  the  definition  of  noise  is  not  tvailable.  In  many 
applications,  sensor  signal  noise  is  a limiting  factor  on  potential  control  performance. 
Classic  examples  such  as  localizer  beam -following  could  be  cited. 


Figure  11.  Generalized  Simulation  Model  of  Sensor  Faults 


TABLE  12.  ACCELEROMETER  ERRORS/TOLERANCES 


Characteristic  j 

Normal 

Lateral 

♦Input  Range 

+10,  -4  g‘s 

f 0.5  g's 

Gain  Errors  (%  F.S.) 

Scale  Factor 

5.0 

5.0 

Linea  rity 

1.0 

l.O 

Pre  filter 

1.9 

1.9 

RSS 

5.4% 

5.4% 

Null  (Bias)  Errors  (%  F.S.) 

Offset 

0,5 

0.5 

Hysteresis 

0,05 

0.05 

Threshold 

0.02 

0.01 

RSS 

0,50% 

0.50% 

X F.S. 

0.05  g's 

0.0025  g's 

Alignment  (deg) 

Internal 

0. 1 

0.  1 

Case 

0.35 

0.35 

RSS 

0. 36  deg 

0 . 36  deg 

RSS  of  Gain  and  Null  Errors 

5,4%  F.S. 

5.4%  F.S. 

Multimode  Threshold 

7.5%  F.S. 

25%  F.S. 

♦ Known  A-7D  values.  Other  parameters  estimated  from  similar 
equipment  and  application. 


TABLE  13.  NORMAL  RATE  GYRO  ERRORS/ TOLERANCES 


Characteristic 

Roll 

Pitch 

V'aw 

Input  range 

^ 

±200  deg/sec 

±30  deg/sec 

±30  deg/sec 

Gain  errors  (((  F.  S. ) 

Scale  Factor 

5.0 

5.0 

5,0 

Linearity 

l.O 

1.0 

1.0 

Prefilter 

2,0 

2,0 

2,0 

RSS 

5.  5(8 

5.558 

5.  558 

[ NuUs  (Bias)  (U  F.S.) 

j 

Offset 

0,  25 

0,25 

0.25 

Resolution 

0,016 

0.025 

0,025 

RSS 

0.25# 

0.  25f 

X Full  Scale 

0. 5 deg/ sec 

0.08  deg /sec 

0, 08  deg/sec 

Alignment  (deg) 

Internal 

0.25 

0.25 

0.25 

1 Case 

0.35 

0,35 

0.35 

RSS 

0.43 

0.43 

0,43 

RSS  of  gain  and 
null  errors 

5.5< 

5.5^ 

5,5(8 

I 

Actual  threshold 
in  A-7D  multimode 


7. 5 f of  full  scale 


TABLE  14.  AIR  DATA  ERRORS/TOLERANCES  AND  ANGLE 
OF  ATTACK  SENSOR  (KNOWN  A-7D  VALUES) 


Characteristics 

Altitude 

(h  ) 
m 

True  Airspeed 

m 

Angle-of - 
Attack 

Sensor 

Range 

-1000  to  50,  000  ft 

118  to  600  KTS 

Accuracy 

Below  10,  000  ft 
± 25  ft 

Above  10,  000  ft 
± J25^  h 

±4  KTS  (h<  20,  000) 

±4,  74  KTS  (h>20,  000) 

0, 36  deg 

Resolution 

25  ft 

1 KT  (1,  7 ft/sec) 

TABLE  15.  PLATFORM  CHARACTERISTICS 


Characteristic 

Roll 

Attitude,  0 

Pitch 

Attitude,  0 

Heading, 

Y 

Range 

360° 

360° 

360° 

Accuracy* 

1.6  deg 

1 . 6 deg 

0. 75  deg 

♦ Presumed  to  include  resolution,  linearity,  etc. 


Proper  noise  modeling  is  especially  critical  in  the  design  of  Kalman  filters  for  fault 
detection.  The  fault  detection  capabilities  are  highly  related  to  the  filter  bandwidth.  This 
bandwidth  is  explicitly  determined  as  a function  of  the  process-to-measurement  noise 
ratios. 

Consequently,  a special  analysis  was  performed  to  get  closer  to  real  life  noise  existing 
on  body  axis  rate  gyros  and  accelerometers. 

Noise  Definitions --It  is  postulated  that  the  output  of  a body-mounted  gyro  or  accelerometer 
will  contain  the  components  identified  in  Figure  12,  which  are  briefly  defined  below: 

1.  Internal  Sensor  Noise- -Usually  modeled  in  simulations  as  filtered  white 
noise  with  a bandwidth  defined  by  the  sensor  (on  the  order  of  100  rps)  with 
an  RMS  level  of  0.  25  percent  of  sensor  full  scale  output  (flight  condition 
independent). 

2.  External  Sensor  Noise — A "steady-state"  output  induced  by  power  plant, 
generators,  and  other  machinery  vibrating  the  aircraft  structure.  For  a 
given  engine  power  setting,  the  output  is  assumed  steady,  with  components 
over  the  full  sensor  range  of  frequencies  (assumed  flight  condition  independent). 
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3. 


Structural  Mode  Inputs--This  component  of  sensor  output  assumes  that  the 
aircraft  structural  modes  are  excited  by  turbulence  and  are  flight  condition 
dependent.  However,  as  the  results  will  show,  this  dependence  on  turbulence 
is  not  obvious  in  the  data,  at  least  not  to  the  degree  implied  in  Figure  12. 

Also,  we  do  not  know,  except  by  qualitative  implication,  what  the  turbulence 
levels  were  during  the  data  taking. 

This  lack  of  turbulence  dependence  follows  from  the  Mil  Spec  8785-B  (Reference 
33)  definition  of  wind  turbulence  bandwidth.  Dryden  models  normally  cut  off 
turbulence  at  0.02  to  0.16  Hz,  depending  on  altitude  and  velocity.  Our  analysis 
separates  rigid  body  from  "high  frequency"  at  2.  5 Hz.  Thus  we  could  expect 
turbulence  to  excite  rigid  body  modes,  with  significantly  less  influence  at  the 
structural  modes,  even  if  they  are  lightly  damped. 

4.  Total  High  Frequency- -This  quantity,  deduced  from  the  power  spectral  density 
plots,  will  be  plotted  on  subsequent  graphs.  As  noted,  it  is  composed  of  the 
three  noise  components  discussed  above. 

5.  Rigid  Body-Normally.  this  is  adequately  simulated  by  turbulence  in  the 
equations  of  motion. 

To  summarize,  at  very  low  turbulence  levels,  we  would  expect  structural  (or  high 
frequency)  spectra  to  dominate  the  total  RMS,  with  the  rigid  body  (or  10  rps  frequency) 
dominating  at  high  turbulence  levels.  The  cross-over  point  and  relative  slopes  are 
undefined,  but  the  trend  seems  to  be  established. 

Data  Input  and  Data  Reduction--An  example  of  the  data  input  to  this  analysis  is  shown  In 
Figure  13.  The  RMS  level  of  sensor  output  over  a given  frequency  range  was  determined 
as  follows: 

1.  Rigid  Body-Most  of  the  data  show  a "clear-cut"  region  of  data  out  to  2.  5 Hz, 
characterized  by  a high  PSD  peak  at  about  1 Hz  and  dropping  to  a low  value  at 
2.  5 Hz.  The  area  under  the  PSD  curve  from  0 to  2.  5 Hz  is  converted  by 
definition  to  "rigid-body"  RMS  by: 

RMS^  » 1/tt  (area)  (16) 

(17) 


Area  * (PSD  max)(2,  5)/2  (triangular  approximation) 
RMS  = "/(PSD  max)(2.  5)/2tt  rad/sec 


(18) 


DATA  AVAILABLE  FOR 
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FREQUENCY  (Hz) 

Figure  13.  Pitch  Rate  Power  Spectral  Density  (Flight  Test  Record)* 

"PSD  max"  is  read  off  the  curves  directly.  If  more  than  one  peak  occurs, 
they  are  averaged,  and  this  average  is  used  in  Equation  (18)  on  the  preceeding 
page. 

2.  High  Frequency- -The  area  under  the  PSD  curve  is  laborious  to  compute 
manually  with  high  precision.  Several  approximations  were  used,  giving 
fair  correlation.  The  following  method  was  finally  applied  to  all  curves. 

The  average  value  of  the  peaks  was  computed. 

The  spread  of  PSD  data  was  noticed  to  be  about  12  dB.  That  is,  the  minimum 
valleys  were  about  25  percent  of  the  maximum  peaks,  giving  the  graph  in 
Figure  14,  after  the  averaging  process; 


*Sensor  data  taken  from  the  SAAB  JA-37  aircraft. 
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Figure  14.  RMS  Calculation 


"""""High  Frequency  = - 2.  5)(0.  75a)  + 0.  25a  (o,^  - 2.  5)  (19) 

^®^igh  Frequency  = ^ (20) 

^®^igh  Frequency  “ <'"s  ' 2*  5)  (21) 

RMS  = yo.  63a((B^  - 2.5)/Tr  rps  (22) 


Admittedly,  the  method  may  give  some  numerical  errors  in  the  results;  however,  the 
data  trends  for  the  results  should  be  indicative  of  real  life. 

3.3.2  Results  and  Recommended  Sensor  Noise  Models 

The  results  of  the  data  reduction  from  PSD  plots  to  RMS  noise  levels  are  summarized 
in  Figure  15.  Some  highlights  are: 

• Turbulence  level  is  not  defined  but  one  can  deduce  that,  between  Mach.  0.  9 
and  1.0,  the  turbulence  is  high  and  is  low  elsewhere  (see  n^  and  Q plots). 

• shows  little  effect  of  high  turbulence  on  high  frequency  noise. 

• Note  that,  at  high  Mach,  N^  high  frequency  dominates  in  a region  where  we 
can  infer  low  turbulence,  as  earlier  postulated. 

Normal  Acceleration,  n_^^^--High  frequency  noise  seems  relatively  constant,  independent 
of  flight  condition  and  turbulence  level.  (We  assumed  high  vertical  turbulence  between 
M ■ 0. 9 and  1.0, ) 


RMS  » 0,03  g's 

BW  ■ 100  Hz  (see  Figure  16) 
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Figure  16.  Measured  Signal  Bandwidth 


Pitch  Rate,  Again,  there  is  no  obvious  turbulence  influence,  except  maybe  that 

induced  by  lateral  motions  (note  the  peak  in  R and  n ).  We  assume  an  average  of 

m ym 

0.  5 percent  RMS. 

RMS  = 0.4  deg/sec 
BW  = 100  Hz 


Lateral  Acceleration,  n^^ — Note  that,  subsonically,  the  shape  is  inverse  to  that  of  q 
and  n^,  indicating  that  turbulence  does  not  influence  high  frequency  output.  The  Mach 
1. 1 peak  may  indicate  the  presence  of  lateral  turbulence.  If  so,  then  R^,  and 

Q can  be  seen  to  be  influenced  by  turbulence.  The  mechanism  is  not  understood,  so 
constant  high  frequency  noise  RMS  will  be  assumed. 


RMS  = 0.03  g's 
BW  = 100  Hz 


1 
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Yaw  Rate,  R --Similar  to  above  comments. 

— ' m 

RMS  = 0.4  deg/sec 
BW  = 65  Hz 

Roll  Rate,  P — Similar  to  above  comments. 

— ' m 

RMS  = 1.1  deg/sec 
BW  = 100  Hz 

From  Figures  15  and  16  it  is  possible  to  pick  out  an  RMS  level  and  BW  for  each  flight 
condition:  however,  average  levels  were  selected  which  stressed  the  subsonic  regime, 
which  is  pertinent  to  the  A-7D  application. 
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SECTION  4 

CONCEPT  DEVELOPMENT 


4. 1 DESIGN  PHILOSOPHY 

The  design  philosophy  chosen  for  this  study  is  largely  independent  of  the  design  appli- 
cation. However,  it  is  best  explained  using  an  example  of  how  analytical  redundancy 
blends  with  typical  on-board  computing  functions  and  capabilities. 

4.1.1  Analytical  Redundancy  for  the  A-7D 

Analytical  redundancy  techniques  were  applied  to  the  A-7D  Multimode  system  to  enable 
utlimate  evaluation  under  realistic  constraints  and  environments.  To  achieve  benefits 
from  this  application,  either  added  system  capability  or  reduced  system  cost  must  be 
realized.  The  current  system  has  a mixture  of  fail-operative  and  fail-safe  hardware. 
The  dual  computers  are  fail-operative  to  a degree  dependent  on  the  self-test  coverage. 
The  sensors  and  servos  are  fail-safe;  servos  are  made  fail-safe  through  a combination 
of  comparison  monitoring  (of  like  devices),  validity  testing,  and  signal  limiting. 

Sensors  currently  on  board  the  A-7D  are  shown  in  Table  16.  By  application  of  analytical 
redundancy,  some  of  these  like  sensors  (rate  gyros,  a normal  accelerometer,  and  an 
angle-of-attack  sensor)  could  be  eliminated  and  still  maintain  fail-safe  operation. 
Alternatively,  the  mission  reliability  of  the  system  could  be  improved  with  the  current 
complement  of  sensors  by  providing  fail-operative  mission-essential  sensors.  Of  these 
two  options,  the  latter  is  selected  for  the  design  application  because  it  is  somewhat 
more  demanding  technically;  furthermore,  the  resulting  system  is  more  in  keeping 
with  current  operational  requirements. 

4.1.2  Design  for  Mission  Reliability 

There  are  many  options  for  structuring  the  redundancy  management  which  produce 
alternate  performance  qualities.  Significant  issues  include: 

1.  Number  of  failure  combinations  possible  before  loss  of  function  (success 
paths) 

( 


TABLE  16.  SIGNAL  AVAILABILITY  ON  A-7D  AND  F-4  DECS 


♦Analysis  performed  on  two  aircraft;  both  originally  considered  for  the  design  application.  F-4  DFCS  is  included 
to  demonstrate  uniform  treatment  for  both  aircraft. 

- North  ref.;  tilf  - Set-in  ref.;  h - total  altitude;  Ah  - Set-in  or  synch,  ref. 


2. 


Dependency  on  monitoring  quality 

3.  Fail  safety  versus  mission  reliability  (generally  conflicting  requirements) 

4.  Cost  effectiveness  (mission  reliability  gained  for  added  fault  detection  and 
isolation  capability) 


The  sensor  complement  of  the  A-7D  Multimode  System  and  its  related  functions  are 
presented  in  Table  17. 


TABLE  17.  A-7D  MULTIMODE  SENSORS  RELATED  TO 
FLIGHT  CONTROL  FUNCTION 


Note  that  only  the  first  four  sensors  are  mission  essential  from  the  standpoint  of  flight 
control;  the  others  are  not  required  for  Level  1 (Mil-Std  8785)  handling  qualities. 
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The  primary  gain  in  mission  reliability  is  realized  by  structuring  the  system  such  that 
a single  failure  does  not  cause  an  abort.  This  means  that  mission  essential  elements 
must  be  fail-operative.  It  also  suggests  that  the  cause  of  a mission  abort  will  be  due  to 
a pair  of  faults,  generally  an  equipment  failure,  plus  some  isolation  defect.  There  is 
therefore  very  little  to  be  gained  (reduction  in  abort  probability)  in  complicating  the 
redundancy  management  such  that  more  than  one  sensor  fault  can  be  accommodated. 
Consequently,  the  following  design  approach  was  selected  for  the  A-7D  application; 

1.  The  current  capability  of  fail-operative  computers  is  retained. 

2.  The  mission  essential  sensors  (pitch  rate,  roll  rate,  yaw  rate,  and 
normal  acceleration)  are  fail-operative. 

3.  The  "performance  enhancement"  sensors  (platform  angles,  angle-of-attack, 
true  airspeed,  and  altitude)  are  at  least  fail-safe. 

4.  If  a computer  fails,  the  added  complication  of  retaining  fail-operative 
sensors  is  not  provided. 

Assuming  that  the  fault  isolation  is  95  percent  effective  for  all  cases,  an  abort  will  be 
caused  by  the  following  (servos  and  hydraulics  excluded): 

-4 

1.  Loss  of  either  computer,  plus  a deficient  self-test  (2  x 2 x 10  x 0.05  = 

-5 

2 X 10  failures  for  one  hour). 

-4 

2.  Loss  of  any  rate  gyro  (out  of  six)  plus  a deficient  diagnosis  (6x10  x 0.  05  = 

-5 

3x10  failures  for  one  hour). 

-5 

3.  Loss  of  either  normal  accelerometer  plus  deficient  diagnosis  (2  x 2 x 10  x 0. 

-5 

0.2  X 10  failures  for  one  hour). 

-5 

The  above  three  probabilities  of  failure  total  5.  2 x 10  for  a one-hour  flight,  a small 
number  compared  to  most  mission  reliability  allowances.  Note  that  several  other 
contributions  to  mission  abort  have  been  neglected  because  of  their  size.  For  example, 

1.  Computer/sensor  combinations — failure  of  either  computer  followed  by  any 

-4  -4  -7 

mission  essential  sensor  (2  x 2 x 10  x 6.  0 x 10  =2.4x10  failures  for 

one  hour). 


-4  2 -8 

2.  Failure  of  both  computers  (2  x 10  ) = 4 x 10  failures  for  one  hour. 

-4  2 -8 

3.  Failure  of  two  like  rate  gyros  in  any  axis:  3(10  ) = 3 x 10  failures  for 

one  hour. 

4.  Failure  of  both  normal  accelerometers  (2  x 10  = 4 x 10  failures  for 

one  hour. 

4.1.3  Sensor  Interfaces 

A simplified  diagram  of  the  multimode  system  defining  the  interfaces  of  the  studied 
sensors  is  shown  in  Figure  17.  All  sensors  are  applied  to  each  computer  channel.  In 
the  case  of  the  dual  sensors,  however,  signal  conversion  is  only  performed  by  the 
associated  computer  if  both  computers  are  operative. 

Each  computer  receives  the  foreign  sensor  data  by  the  serial  data  exchange.  By  taking 
the  average  of  the  dual  sensor  inputs,  each  computer  operates  on  identical  data.  If 
one  computer  fails  and  is  disabled,  the  remaining  computer  converts  both  channels  of 
dual  sensor  data  and  continues  to  operate  on  the  average. 

In  the  case  of  single  sensors,  each  computer  will  receive  and  convert  the  data.  The 
converted  data  will  be  exchanged  and  averaged  to  maintain  identical  inputs  to  the  control 
law  in  each  channel.  If  a computer  fails  and  is  disabled,  the  remaining  channel  will 
use  only  its  own  converted  single  sensor  data. 

As  indicated  in  Figure  17,  the  sensor  diagnosis  performed  in  each  channel  is  based  only 
on  the  local  dual  sensor  data  (e.g. , a sensor  with  computer  A).  This  means  that,  if  a 
computer  fails,  the  diagnosis  of  the  associated  sensors  will  also  be  lost.  This  approach 
is  consistent  with  the  single-fail-operative  design  philosophy  (fail-safe  sensors  after 
a computer  failure). 

4.1.4  Fall-Operative  Sensor  Logic 

Of  the  options  available  for  achieving  fail-operative  sensors,  the  proposed  approach  is 
one  which  favors  fail-safe  operation  with  minimum  dependency  on  diagnostic  quality. 
This  logic  is  illustrated  in  Figure  18.  Note  that  the  diagnostic  filters  are  used  as 
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♦LOGIC  INCLUDES  MONITOR  TESTS  AND  FAULT  ISOLATION. 
Figure  17.  A-7D  Sensor  Interfaces 
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Figure  18.  Fail-Operative  Sensor  Logic 


failure  isolators  after  a miscompare  between  like-sensors  is  signaled.  The  isolation 
can  be  based  on  relative  magnitudes  of  diagnostic  errors  or  a specifically  designed 
monitor  to  compare  like-diagnostic-filter  assemblies.  Both  approaches  avoid  dependence 
on  a predetermined  failure  threshold  (with  associated  tolerance  problems)  for  the  diag- 
nostics for  the  first-failure  detection  in  a dual  sensor  set. 

A diagnostic  failure  threshold  will  be  required  for  detection  of  second  like-faults  and 
for  first  faults  in  single  sensors. 

Note  that  both  diagnostic  errors  are  not  available  if  one  computer  has  failed,  requiring 
a shutdown  if  the  dual  inputs  miscompare.  This  again  is  consistent  with  the  fail-operative 
design  philosophy. 

It  is  anticipated  that  the  miscompare  discretes  will  be  generated  after  three  consecutive 
difference  signals  which  exceed  a preset  level  are  received,  as  is  currently  done  in  the 
A-7D  Multimode  System. 

4.1.5  Fail-Safe  Sensor  Logic 

Three  types  of  fail-safe  sensor  logic  are  required  for  the  subject  application; 

1.  Comparison  monitoring  of  dual  like-signals  without  a related  diagnostic 
function  (analytical  redundancy).  Examples  include  lateral  acceleration 
(for  which  there  is  only  a marginal  diagnostic  capability)  and  the  other 
dual  sensors  after  either  failure  of  one  computer  or  failure  of  an  input  to 
the  relevant  diagnostic  filter. 

2.  Monitoring  of  the  level  of  a diagnostic  error  function  after  failure  of  one 
sensor  in  a dual  set.  For  example,  if  the  pitch  rate  gyro  in  Channel  A 
fails,  the  condition  of  the  pitch  rate  gyro  in  Channel  B is  monitored  by 
the  relevant  diagnostic  filter. 

3.  Monitoring  of  a single  sensor  by  its  associated  diagnostic  filter.  The 
approach  here  is  to  require  (in  the  absence  of  other  faults)  a failure  indi- 
cation from  both  computers  to  avoid  fault  indication  due  to  failure  of  a dual 
sensor;  that  is,  a dual  sensor  failure  yet  to  be  detected  by  a comparison 
monitor  would  be  detected  in  only  one  computer. 
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The  first  two  logic  types  are  fairly  obvious,  but  the  third  is  somewhat  dependent  on  the 
specific  diagnostic  test  used. 

Note  that  the  general  approach  is  to  indicate  faults  by  sensor  groups  rather  than  attempt 
more  isolation  by  less  reliable  logic  combinations.  Whereas  the  latter  could  be  used  in 
theory,  marginal  failure  situations  could  result  in  faulty  isolation.  This  conclusion  is 
tested  with  Concept  III.  Furthermore,  there  is  not  a great  deal  to  be  gained  from 
better  isolation  from  the  standpoint  of  the  flight  control  data  usage.  For  the  A-7D,  it 
is  noted  that: 

• If  the  platform  fails,  there  is  no  use  for  TAS  or  altitude. 

• If  TAS  fails,  the  platform  and  altitude  are  only  good  for  autopilot  modes. 

A full  CAS  can  be  safely  tried  by  using  limited  authority  outer-loop  inputs. 

• If  altitude  fails,  the  pitch  MM  could  still  be  used  (which  is  not  known  without 
isolation  to  the  altitude  fault).  The  lateral-directional  MM  are  lost  regard- 
less. Autopilot  modes  may  be  safely  tried  (altitude  hold  won't  work). 


( 

t 
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4.  2 CONCEPT  I— THE  OBSERVER /BLENDER 

The  basic  relationships  and  goals  of  the  concepts  for  development  were  laid  out  in 
Section  2.  One  of  the  key  objectives  of  Concept  I was  to  examine  how  cheaply  (compu- 
tationally) a diagnostic  filter  could  be  implemented.  Also,  a design  technique  based 
mostly  on  frequency  domain  considerations  was  tested  indirectly. 

The  basic  operation  of  the  observer /blender  is  to  blend  state  and  state  derivative  into 
a Consistent  error  function.  For  example,  the  relationship  between  a scalar  position 
and  velocity  is 

= X (23) 


68 


Two  important  characteristics  are  observed: 


1.  Information  about  both  state  and  derivative  is  available. 

2.  The  describing  Equation  (23)  is  exact. 


The  first  characteristic  is  significant  only  where  both  state  and  derivative  are  not  avail- 
able (as  in  the  case  of  lateral  acceleration,  n^). 


The  second  characteristic  is  important  because,  for  perfect  measurements  and  perfect 
continuous  filtering. 

e = 0 


The  error  is  non-zero  because  of  three  real-world  situations: 

1 . X and  V are  not  perfect  representations  of  X and  V . 

2.  There  is  digital  integration  with  associated  sampling  effects. 

3.  There  are  faults  in  X and/or  V 

m X 

m 

The  goal  of  analytical  redundancy  in  this  case  is  to  simply  distinguish  the  first  two 
situations  from  the  third  situation. 

4.2.1  Concept  I Candidate  Filters 

Matching  the  available  sensors  of  Table  16  with  the  equations  of  motion,  (1)  through  (15), 
the  candidate  error  signals  were  proposed  as  shown  in  Table  18. 

Of  the  nine  candidate  diagnostic  filters,  five  were  developed  for  evaluation.  Anticipated 

fault  diagnosis  capabilities  are  also  listed  in  Table  18.  Within  the  final  set  of  five 

algorithms,  a good  diagnostic  filter  exists  for  each  sensor  in  Table  18  except  n and  V . 

ytn 

Lateral  acceleration,  Ny^,  fault  diagnosis  is  very  difficult  because  of  its  low  range  of 
magnitudes  (+  l/2g)  and  because  the  required  state  to  be  used  for  blending  (namely,  P) 
is  not  available.  High-passing  the  sideslip  measurement  p^,  as  suggested  in  Algorithm 
7,  is  not  advisable  because  of  the  low  quality  signal  of  p^  and  gust  information,  i.  e. , 
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TABLE  18.  CANDIDATE  CONCEPT  I ERROR  SIGNALS 


*Fattlt  diagnosis  is  possible  but  not  expected  or  necessary. 
** Initial  feasibility  examined  but.  not  developed. 


= g + lateral  gust.  A recommendation  to  add  a more  effective  sideslip  indicator 
might  be  in  order;  however,  the  goal  of  this  study  is  not  to  add  sensors.  Also,  as 
indicated  in  Table  17,  n^  is  not  mission-critical.  Therefore,  its  diagnostic  is  not 
considered  crucial  to  the  sj’stem. 

Airspeed,  is  also  directly  unaccounted  for  in  Concept  I.  Diagnostic  Filters  4 and  5 

might  provide  a low  level  fault  detection  capability  due  to  the  minor  role. 

Filter  6 would  provide  a much  better  capability  for  detecting  airspeed  measurement 
faults;  however,  the  complexity  is  considered  excessive  and  counter  to  the  goal  of 
simplicity  for  Concept  I. 

Both  n and  are  addressed  in  Concept  II.  Both  are  considered  to  have  minor  impact 
on  mission  reliability;  therefore  diagnosis  in  Concept  I is  not  critical. 

Block  diagrams  for  Filters  1 through  5 are  shown  in  Figures  19  through  23. 


Figure  19.  Filter  I-l;  Roll  Rate  Observer/Blender 


71 


Figure  21.  Filter  1-3:  Yaw  Rate  Observer/Blender 


4.2.2  Observer/Blender--Monitor  Levels  and  Fault  Detection 

Monitor  functions  for  Concept  I are  derived  by  using  the  individual  sensor  characteristics 
in  Section  3.  The  key  to  "adequate"  monitoring,  of  course,  is  highly  dependent  on  the 
monitor  trip  levels.  As  these  levels  increase,  the  monitor  finally  gets  to  the  point  where 
"hardovers"  only  are  detected  or  extreme  maneuvering  is  required  to  activate  the  monitor 
output.  The  first  approach  to  fixing  the  monitor  trip  level  was  to  RSS  all  the  errors 
introduced  by  imperfect  state  measurements  (nulls,  resolution  hysteresis,  turbulence, 
etc. ).  This  approach  attempts  to  define  a monitor  level  which  has  a definite  relation 
to  nuisance  disengagements.  This  approach  results  in  some  relatively  large  monitor 
trip  levels,  particularly  when  Sc  gusts  are  included  as  an  error  in  the  measurement 
algorithms. 

I 

I 

r Table  19  contains  the  monitor  functions  for  the  five  Concept  I algorithms.  In  general, 

I the  algorithms  for  derivation  of  body  rates  from  platform -derived  Euler  angles  (Figures 

19,  20,  and  21)  provide  monitor  levels  somewhat  tighter  than  those  possible  with  dual 
sensor  comparators.  Further,  these  algorithms  provide  good  hardover  and  dead  sensor 

failure  detection  for  both  the  body  rate  sensor  and  the  equivalent  derived  Euler  rate, 

* 

e.  g. , pitch  rate,  Q,  and  Euler  rate,  9 (hence  Euler  attitude  9).  Dead-faults  are 
detected  with  reasonable  maneuvering  control  inputs.  This  is  also  demonstrated  in 
Table  19  by  comparing  these  monitor  levels  with  the  dual  sensor  comparison  monitor 
levels. 

The  minor  terms  in  the  monitor  functions  do  not  provide  good  monitoring  in  themselves, 
but  because  they  are  included  they  will  provide  a tighter  monitor  tolerance  for  the  primary 
signals. 

The  normal  acceleration  algorithm  shown  in  Figure  22  is  a kinematic  approach,  con- 
verting angular  rates  and  resolving  the  gravity  vector  into  normal  acceleration.  This 
approach  has  two  serious  deficiencies.  First,  the  algorithm  requires  kinematic  velocity 
(vehicle  velocity  with  respect  to  the  ground),  but  the  air  data  sensor  gives  vehicle 
velocity  with  respect  to  the  air  mass.  The  difference  is  steady  and  turbulent  winds, 

I which  are  direct  errors  in  computed  n^.  Steady  winds  aloft  (e.g. , Jet  stream  or  its 

I influence),  which couldbe  a significant  part  of  the  total  vehicle  velocity,  are  treated  as 

[ a percentage  error  on  n (0.  35  n in  the  monitor  function).  The  second  major  deficiency 

t ^ ^ 

is  the  derived  angle-of-attack  rate  which  is  rich  in  turbulence-induced  noise.  If  the 
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TABLE  19.  PRELIMINARY  OBSERVER /BLENDER  MONITORS 


Algorithm 

Monitor  Level 

1.  P (deg/sec) 

c 

Trip  s 3.  74  + 0.0596/P  / 

^ m 

Trip  s 5. 12  + 0.0842/P  / 

m 

2.  Q (deg/sec) 

c 

Trip  2 0.54  + 0.039/Q  /+  0.0053/P  /+0.0197/R  / 

m m m 

CM  Trip  2 0.76  + 0.0484/Q  /+  0.0075/P  / 

m m 

3.  R (deg/sec) 
e 

Trip  2 0.63  + 0.0378/R  /+  0.0050/P  /+0.0197/Q  / 

mm  m 

CM  Trip  2 0,89  + 0.  046/R  /+  0,0071/P  / 

mm 

4.  n^  (g's) 
e 

Trip  2 0.65  + 0,35/n  / + 0,015/Q  / 

z m 

U ™ 

+ [0.54  + 0,0342/Q  /+  0, 0353/P  /] 

57. 3 g m m ■' 

CM  Trip  2 0.082  + 0.076/n  /+  0,005/q/ 

^m 

5.  h (ft/sec) 
e 

Trip  2 2.7  + 0.0281/U  / + 0, 35 /»i/+21 
m 

^Comparison  Monitor 


system  is  designed  to  tolerate  Mil-Spec  8785  gusts  (21  ft/sec,  3a),  then  inspection  of 
the  algorithm  reveals  that  the  21  ft/sec  vertical  velocity  is  sensed  directly  by  the  monitor 
as  21/32.  2 = 0,  65  g's.  This  g-level  will  be  modified  eventually,  depending  on  the 
turbulence  bandwidth  and  algorithm  filtering.  Worst  case  analysis  was  used  here.  This 
is  also  reflected  in  Table  19  by  comparing  the  first  terms  monitor  level  for  n^^  with 
that  for  the  dual  sensor  comparison  monitor. 

Consideration  of  winds  aloft  and  turbulence  seriously  degrades  the  efficiency  of  this 
algorithm  in  detecting  faults.  In  general,  it  will  detect  pitch  rate  (Q)  and  normal 
acceleration  (n^)  hardovers  and  dead  faults,  but  airspeed  and  angle-of-attack  faults 
will  escape  detection  except  under  certain  restrictive  conditions. 

The  final  algorithm.  Figure  23,  monitors  the  altitude  sensor.  Although  the  algorithm 
appears  in  another  mechanization,  it  was  not  effectively  monitored  there.  In 
fact,  steady  state  or  absolute  altitude  monitoring  Is  not  provided.  Thus,  sensor  faults 
resulting  in  altitude  "drifts"  within  the  defined  tolerances  will  not  be  detected. 
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The  altitude  algorithm  again  is  "kinematic"  and  will  develop  errors  in  proportion  to  steady 
winds  and  turbulence,  similar  to  the  normal  acceleration  mechanization  discussed  earlier. 
Vertical  gust  components  sensed  by  the  angle-of-attack  vane  (21  ft/sec  - 3a)  will  necessi- 
tate a higher  monitor  level  to  account  for  this.  This  is  probably  an  unacceptable  altitude 
monitor  as  it  stands.  A wind  estimation  input  (if  available)  would  be  a significant  improve- 
ment and  may  offer  some  hope.  Integration  of  the  derived  altitude  rate  to  provide  a 
reference  absolute  altitude  is  intuitively  unworkable,  even  with  periodic  updates,  when 
considering  steady  wind  errors  (which  in  general  cannot  be  estimated  from  the  assumed 
sensor  complement). 

In  operation,  an  error  signal  must  trip  (exceed)  its  monitor  level  three  consecutive  times 
for  a fault  declaration.  This  allows  a low  monitor  level  while  maintaining  the  required 
false  alarm  probability  (i.e. , one  false  alarm  per  1000  flight  hours).  Multiple  trips, 
signal  correlation,  and  false  alarms  are  discussed  further  in  Section  5. 

4.  3 CONCEPT  II:  DIAGNOSTIC  KALMAN  FILTERS 

4.  3. 1 Equivalence  of  Observer/Blender  and  the  Kalman  Filter 

The  observer/blender  idea  in  Concept  I was  characterized  by  simplicity  and  utilization 
of  classical  frequency  domain  techniques.  By  comparison.  Concept  II  allows  more 
complexity,  albeit  more  performance  expectations.  Also,  a time  domain  approach  is 
used  here. 

Comments  on  these  two  guidelines  are  in  order.  First,  simplicity  versus  complexity 
is  not  implied  by  the  difference  in  design  technique.  Indeed,  if  the  design  goals  of 
Concept  I are  repeated  in  the  monitor  (i.  e. , accountability  for  sensor  characteristics 
such  as  bias,  scale  factor,  and  wind  gusts),  a Kalman  filter  approach  would  produce 
the  same  filters  in  structure  as  Concept  I.  Figure  24  uses  the  same  position- velocity 
example  presented  earlier  to  demonstrate  the  equivalence  of  the  classical  approach 
addressed  in  Concept  I with  a steady  state  Kalman  filter  designed  in  the  continuous  time 
domain. 

The  equivalence,  in  structure,  leaves  only  one  difference  between  the  construction  of 
an  observer/blender  error  signal  function  and  a Kalman  filter  residual:  the  value  of  the 
feedback  gain  K (1/t)  . In  Concept  I,  a value  of  t = 0. 10  sec  was  chosen  to  differentiate 
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Basic  Physical  Relationship 


Available  Measurements 
1.  Position 


X = X + T)  : T1  /-NCO,  cr  ) white 
m ' X X X 

V = V + Tl  : T)  ~ N(0,  cr  ) white 

X X V * V V 

m 


Observer/Blender  Error  Signal 


Kalman  Filter  Design 


1_  V _ s 

Ts  + 1 ^m  TS  + 1 "^m 


1.  State  Space  Solution 
X = K(v  ) + Vjj. 

m 

where  the  filter  residual 

v=X  -X  (residual) 
m 

K = steady  state  Kalman  gai 

2.  Frequency  Domain  Transfer 

Function 

. . sX  X 

v(s)  = m - m 


1 

"=K 


Then 


e = -Kv 
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(by  high-pass  filters)  frequencies  in  the  rigid  body  motion  of  the  aircraft.  Is  this 
the  optimum  time  constant  for  fault  detection?  If  not,  what  is?  Note  that  Equation  (24) 
is  valid  regardless  of  the  value  of  t. 


In  the  Kalman  filter  sense,  a small  time  constant  t (a  high  gain  K)  implies  greater 
confidence  in  the  measurement  relatfve  to  This  gain  value  is  proportional  to 

the  ratio  of  If  X is  a far  cleaner  (i.  e. , less  noise)  signal  than  Vv  , the  Kalman 

filter  uses  much  more  X in  lieu  of  Vv_.  The  limit  is  an  infinite  gain  which  means 
that  no  filter  is  necessary  because  X^  is  a perfect  representation  of  X. 

The  underlying  premise  of  analytical  redundancy  is  to  use  to  verify  X and  vice 

ni 

versa.  An  infinite  gain  (or  in  a practical  sense  a high  gain)  results  in  an  overwhelming 
trust  in  X^  including  its  faults. 

The  conclusions  for  diagnostic  filter  design, 

1.  Neither  choosing  t to  differentiate  the  rigid  body  frequencies  (Concept  I), 

2.  Nor  calculating  K solely  on  noise  ratios  (Concepts  II  and  III), 

guarantee  a successful  design  which  meets  the  goals  of  analytical  redundancy. 

However,  Kalman  filtering  does  have  one  nice  property:  a residual  (error  signal)  with 
low  autocorrelation.  The  significance  of  this  will  be  demonstrated  later  in  discussions 
about  monitors. 

4,  3.  2 Concept  II  Performance  Goals 

Complexities  in  the  Kalman  filter  designs  result  from  attempts  to  provide  better 
accountability  for  sensor  characteristics  in  the  diagnostic  filters.  This  results  in 
lower  monitor  levels.  Specific  extensions  in  Concept  n are: 

• Body  rate  bias  and  scale  factor  estimation  to  reduce  monitor  levels  and 
investigate  bias  estimation  for  bias  fault  detection. 

• Gust  estimation  to  enhance  diagnosis  of  angle-of-attack  faults. 
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Additional  complexity  also  results  from  scheduling  a KF  on  dynamic  pressure  for  the 
lateral-directional  acceleration  equations  of  motion;  (5),  (13),  and  (15).  The  goal  here 
I is  to  create  a diagnosis  capability  for  lateral-acceleration  Is  not  checked  in  Concept 

I)  and  airspeed  (U^  is  addressed  only  indirectly  in  Concept  I). 

4.3.3  Euler  Angles  and  Body  Rates 

A specific  goal  of  Concept  11  is  to  relieve  the  monitor  of  certain  error  sources  outlined 

in  the  Concept  I discussions  for  the  formulation  of  the  Euler  angle-body  rate  filters -- 

Equations  (10)  through  (12).  These  error  sources  are  bias  and  scale  factor  errors  in 

body  rate  gyros  (P^. 

m m m 

Another  important  consideration  is  the  impact  of  the  extensive  nonlinear  nature  of  the 
equations.  An  ultimate  treatment  would  involve  extended  Kalman  filtering  with  continual 
gain  calculations  based  upon  error  covariance  updating.  This  approach  would 
provide  the  best  estimates  and  the  lowest  monitor  levels  for  fault  detection.  The 
computational  expense  of  this,  however,  would  far  exceed  its  usefulness  for  detecting 
faults. 

An  approach  taken  by  Montgomery  (Reference  13)  is  to  design  by  using  constant  filter 
gains  but  nonlinear  update  equations.  This  approach  has  many  attractive  features: 

• Monitor  levels  based  upon  residual  mean  value,  although  they  include 
nonlinearities,  are  consistent  enough  to  provide  good  fault  detection. 

• The  computational  expense  is  far  less  than  a full  extended  Kalman  filter. 

• Kalman  gains  can  still  be  changed  (scheduled)  on  key  inputs.  i 

Examples  of  this  approach  are  included  in  the  specific  designs  discussed  below.  '* 

4.3.4  Euler  Angle — Body  Rate  Kalman  Filter 
The  equations  of  motion  relating  Euler  angles  to  body  rates  are: 


= P 4 (Q  sin  ^ 4 R cos  4i)  tan  0 

(7) 

= Q cos  ^ - R sin 

(8) 

= (Q  sin  * + R cos  i)  sec  0 

(9) 

9 


■ f I 


In  order  to  calculate  the  filter  gain,  a nominal  design  must  be  chosen.  Although 
schedules  on  ^and  e are  possible,  the  implementation  would  be  cumbersome.  The 
initial  design  therefore  is  based  upon  a simplified  system  (9  = d = 0).  or 


flS  = P 
§ = Q 
♦ = R 


(25) 

(26) 
(27) 


Working  with  just  Equation  (7).  the  filter  design  becomes  one  of  estimating  0 with 
a known  driver  P;  however,  roll  rate  is  not  known  without  error.  The  equations  there- 
fore become: 


State: 

i = P - P 
me 

Measurement: 


0=0  + 0 
m e 


(28) 


(29) 


where  "e"  refers  to  the  measurement  errors  associated  with  P and  0. 


In  order  to  incorporate  important  body  rate  errors,  P^  is  expanded  to 

P=P.  +MP  +T1 
e b p m p 


where 


(30) 


P,  is  roll  rate  null  bias 
b 

M is  a scale  factor  error 
P 

Tl  is  random  ~N(0,  o ) white 
P P 


The  roll  angle  error  is  modeled  as 


= Tlj  11.  ~ N(0,o_^)  white 


where  the  roll  angle,  0,  can  therefore  be  modeled  with  a third  order  representation; 

« = ^m  ' Pb  - Vm  ■ ^ 

(32) 

(33) 


P,  = 0 

D 


(P^  assumed  constant) 


M = 0 
P 


(M^  assumed  constant) 


80 


The  state  space  description  is: 


i = Fx  + GjU  + GgTl 
y = Hx  + EjU  + Eg  11 

where 

T 

X = (ii.P.,M  ) (state  vector) 
b p 


y = <fi  (measurement  vector) 


F = 


G 


2 


Eg  * (0. 1) 

P ® 

H=  (1,0.0) 


(34) 

(35) 


4.3.5  Observability 

The  treatment  of  this  problem  is  directly  affected  by  the  observability  of  the  system. 
Given  that  is  time  varying,  one  must  apply  the  appropriate  observability  criterion 
(Reference  32): 
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rank  r = n 


where 


^ = [^1*^2 

= n'^d) 

r.  = + F'^(t)  r.  . (k  = 2. . 

bt 


For  this  problem 


0 -P  -bP^.. 
m m 


The  rank  of  r depends  entirely  on  the  time-varying  nature  of  P . A design  based  on  an 

k— 2 k-2  ^ 

assumed  steady  value  of  P . i.  e.,  b P /bt  = 0,  would  be  unobservable.  Likewise 

m m 

a time-varying  filter  would  exhibit  weak  reconstruction  for  periods  of  low  roll  activity. 

The  approach  taken  here  is  to  employ  logic  based  on  body  rate  and  Euler  angle  activity 
to  switch  alternately  from  bias  estimation  for  low  and  P^  activity  to  scale  factor 
estimation  for  high  P^  activity.  The  same  procedure  also  holds  for  "e  - Q"  and  “ R" 
filters. 


4.3.6  Estimator  Design 

Use  of  rate  noise  parameters,  presented  in  Section  3,  incorporates  unmodeled  dynamics 
into  the  problem  solution,  i.  e. , structural  modes.  A standard  rule  of  thumb  for  attitude 
eriors  (0.  25  percent  of  full  scale)  was  used.  The  bias  gain  can  be  calculated  with 
Kalman  filtering  theory  by  using  one  of  a number  of  ad  hoc  methods,  e.g. , fictitious 
noise  inputs  or  assumed  correlation.  The  goal  here,  however,  is  to  maintain  estimation 
accuracy  with  a reasonable  bandwidth  for  the  bias  estimation.  The  procedure  used, 
therefore,  was  to  select  a bias  gain  based  on  bandwidth.  Block  diagrams  of  diagnostic 
filters  are  shown  in  Figures  25,  26,  and  27.  The  residual  RMS  did  not  change  appreci- 
ably over  the  optimum  design  case;  that  is,  no  bias  or  scale  factor  errors  were  assumed. 


Figure  27.  Diagnostic  Filter  for  Equation  (9) 


Scale  factor  estimates  result  from  switching  • j thrfbias  estimates  during  high  activity 

periods,  chosen  here  to  be  P , Q , and  R_  > 0. 1 rad/sec.  This  results  in  switching 

m m m — 

observability  from  bias  to  scale  factor.  This  can  be  done  legitimately  because  both 
bias  and  scale  factor  are  assumed  constant.  In  practice  this  is  a good  assumption  for 
scale  factor,  but  bias  may  drift  (within  specification)  which  theoretically  means  that 
difficulty  will  be  encountered  by  the  filter  during  periods  not  spent  on  bias  estimation. 
The  bias  drift,  however,  is  much  too  low  in  frequency  to  cause  a problem  unless  contin- 
uous maneuvering  over  long  periods  of  time  is  performed. 

4.3.7  Altitude,  Angle-of- Attack,  and  Normal  Acceleration  Design 

The  major  difficulty  associated  with  angle-of-attack  estimation  is  the  corruption  of  the 
sensed  signal  with  wind  gust  inputs.  The  diagnostic  filter  design  for  angle-of-attack 
is  combined  with  altitude  and  normal  acceleration  using  the  following  equations: 


\ 
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h = U sin  0 - W cos  9 cos  (f  V cos  0sln  0 
W = + g cos  e cos  It  - PV  + QU 

= h + :T1^  ~N(0,  <Tj^)  white 

= tan'^[(W  - Wg)/U*]  + T]^  ~ N(0.  a^)  white 

n '-A+Tl  -g:tl  ~N(0,  o ) 
z z 'n  ’n  n 

m z z z 


e = e+  n „ 

m ' 0 


~ N<0.  ag) 


The  introduction  of  the  vertical  wind  gust,  W^.  results  in  having  to  account  for  this  in  the 
design: 


W = -a  W + g 71 
g w g “w  'w 


7)^~N(0.1) 


where 


g = a *'2a 
®w  g w 


Simplifying  the  equations  results  In  design  models  for  steady  gains. 


h =W  + U9  -U71- 
mm  m ’0 


W=-n  +UQ  -T1  -U  71  +g 
z m^m  'n  m q ® 
m z ^ 


W = -a  W + g 71 

g W g W TV 


= h + 71. 
m h 


a = (W  - W )/U  +71 

m g m a 


where 


sin  0 2:  0;  cos  0 
sin  d ^ t:  cos  d—  1 


PV=  0 


U = U 
a m 


tan  or  = a 
m m 


refers  to  forward  velocity  relative  to  wind,  i.  e.,  ■ U - forward  wind. 


•T'  • . - . 


iixr 


Two  inputs  of  consequence  are  0^  and  U^.  Although  this  filter  does  not  address  either 

sensor  directly,  fault  detection  for  both  is  promising.  Pitch  angle,  in  particular,  drives 

the  filter  significantly  and  would  logically  result  in  some  high  filter  activity  during  a 

fault.  One  area  of  interest  would  be  6 bias  errors.  It  has  been  demonstrated  earlier 

m 

that  filters  like  the  Euler  angle-body  rate  designs  previously  discussed  will  high  pass 

9 , rt  , and  * . Bias  errors  will  go  undetected  in  these  filters.  The  current  appli- 

m m m ® 

cation  will  be  sensitive  to  9 bias  errors. 

m 


Airspeed,  U , enters  into  the  current  formulation  twice.  Expectations  of  detecting  air- 
m 

speed  faults  are  reserved  at  best  (simulation  results  were  good). 


Figure  28  contains  the  mechanization  of  this  filter  designed  with  discrete  Kalman  filtering. 


4.3.8  Lateral  Acceleration  Diagnostic  Filter 


Concept  I discussions  revealed  that  handling  fault  detection  of  the  lateral  accelerometer, 
n , should  be  relegated  to  Concept  II.  Previous  issues  discussed  were  as  follows; 

• The  lack  of  necessary  information,  namely  8,  reduces  the  prospect  of 
identifying  faults  in 

• Fail  operation  in  a degraded  mode  is  possible  without  n^  . 

Jm 

The  task  of  determining  ny^  faults  was  undertaken,  nonetheless,  with  the  following 
disclaimers: 

• It  might  not  work. 

• If  it  does,  it  will  be  expensive  (computationally). 

The  required  design  effort  involves  constructing  a gain-scheduled  lateral- directional 
Kalman  filter  using  Equations  (5),  (7),  (13),  and  (14).  The  design  exercise,  however, 
has  more  implications  than  just  ny^.  Concept  ni  relies  heavily  on  gain-scheduled 
acceleration  equations  for  fault  diagnosis.  The  foregoing  design  can  be  considered 
preliminary  to  Concept  III  development, 

4,3.9  Gain  Scheduling  and  Filter  Performance 

In  order  to  evaluate  the  impact  of  gain  scheduling  (or  the  lack  of  it)  upon  a Kalman  filter 
design  for  sensor  fault  detection,  a suitable  evaluation  criteria  must  be  developed. 

Since  all  advanced  schemes  considered  rely  on  filter  residuals  as  a monitor  input,  the 
study  concentrates  on  this  variable.  Two  such  criteria  might  be  a minimal  residual 
covariance  response  ratio  and  residual  correlation. 

Minimal  Residual  Covariance  Response  Ratio--Letting  the  equation 

B*  = EfvjVj’^] 

be  the  residual  covariance  matrix  for  the  optimal  filter,  then 

RMS  ratio  ■=  trfB*"^E[vjVj^]  pj/n^^ 

Subscript  D refers  to  the  design  filter.  In  practice  this  may  be  the  optimum  for  another 
flight  condition  or  a gain  schedule  of  some  sort,  or  it  may  be  completely  arbitrary. 
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For  a gain  schedule  approaching  the  ideal  plant,  i.  e. , one  for  which  a Kalman  filter  is 
designed. 


1 

tr  [B  E[v.VjJ}  -•  (number  of  measurement) 

For  this  analysis,  the  following  evaluation  parameter  can  be  used; 

RR  s tr 

‘ r 

where 

A T 

Bj^  = E[v.v.  ] for  the  proposed  suboptimal  filter  design 
A 

RR  = residual  response  ratio 

It  should  be  noted  that  if  B^^  = B i i.  e. , the  optimum  filter  itself,  then 

RR  = 1 


The  closeness  or  "goodness"  of  a given  filter  design  can  be  evaluated  with  this  parameter 
relative  to  other  suboptimal  designs. 


Residual  Correlation- -The  optimum  design  produces  a "white"  residual,  i.  e. , 

E[vjV  J]  = B*  for  i = j 
= 0 for  i ^ j 


Given  an  arbitrary  filter  gain,  K,  used  with  Uie  following  filter; 

X = X.  + K(y  - C Xj) 

••  A 

X. . , * A X.  + B u. 

1+1  1 1 

and  assuming  that  A,  C,  and  are  identical  to  actual  plant  process,  the  correlation 
becomes 

E[vi^lVi'^]  = CA{MC'^  - K(CMC'^  + DgQDg’^)] 


t 


Filter  assumed  stable. 
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- -f, 


where 


M = E[(x.  - X.)  (x.  - x.)^] 
1 11  1 


Q = diagonal  matrix  containing  process  and  measurement  noise  variances 


For  K = K (optimum). 


ECVi^jV.  ) = 0 


It  is  hypothesized  that  v.  is  an  n^  order  Markov  process 


V.  . , = iv.  + TT. 
1+1  1 1 

where 


$ = correlation  transfer  matrix  (n  x n ) 

r r 


TT^  = white  noise  driving  term 


= $E[v.vJ]  + Efn.Vj] 


Therefore, 


i = E[v.v7]'^  E[v.^,v.'^] 
11''  ^ 1+1  1 


= [CMC^  + CA[MC'^  - K(CMC^  + DgQDg"^)] 


The  eigenvalues  of  § provide  useful  information  about  the  correlation  of  a given  residual 


The  i eigenvalue  in  continuous  form  is 


Xj  =(-l/AT)Ln[Xj^(«)]  i = l,2.., 


where 


X^Cf)  is  the  corresponding  i^^  discrete  eigenvalue  of  i 
AT  is  the  sample  rate 
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Xj  is  the  equivalent  continuous  system  eigenvalue 


The  goal  is  to  achieve  white  residuals  or 

all  xf ’s  -♦  oo 

Q 

As  the  eigenvalues,  Xj^'s,  move  closer  to  the  origin,  the  process  is  more  correlated.  In 

any  case,  an  eigenvalue  which  indicates  that  the  correlation  occurs  within  the  plant  band- 

Q 

widto  (i.e.,  Xj  > "10  rad/sec)  would  be  unacceptable. 

These  two  evaluation  criteria  indicate  the  ability  of  a suboptimal  filter  design  to  perform 

relative  to  the  real  optimum  case.  The  development  allows  analysis  for  an  arbitrary  K; 

however,  a more  general  case  also  includes  a completely  arbitrary  plant  description. 

Figure  29  outlines  the  equivalent  procedure  for  an  arbitrary  filter. 

The  application  of  this  parameter  sensitivity  analysis  has  the  following  limitations : 

• It  is  theoretically  applicable  only  to  discrete  plant  changes,  i.  e. , a linear 
filter  applied  to  a linear  plant.  Dynamic  pressure  variations  are  assumed 
low  enough  in  frequency  to  be  valid  for  such  analysis.  A more  general 
nonlinearity  would  not  be  valid. 

• Postulating  a stochastic  control  input,  u.,  is  necessary  for  evaluating  the 

effect  of  mismatches  between  scheduled  and  actual  control  effectiveness, 
i.  e. , and  An  approach  might  be  to  model  the  human  operator  as 

a correlated  noise  input,  but  this  would  not  account  for  feedback  control. 

In  any  case,  this  analysis  is  really  not  convenient  for  such  a determination. 

4.  3. 10  Gain  Scheduling  the  A-7 


The  use  of  acceleration  equations  in  Concept  II  (for  n^  fault  detection)  and  Concept  III 
require  that  the  implications  of  scheduling  gains  and  aerodynamic  coefficients  be 
examined.  The  approach  taken  here  was  to  use  linear  analysis  techniques  described 
in  the  previous  subsection  for  the  lateral-directional  fault  tolerant  design. 


For  ease  of  understanding,  the  state  space  equations  of  motion  are  given  in  continuous 
time  representation.  These  are  shown  in  Figure  30. 


Open- Loop  System 

X = Fx  + GjU  + G2TI 
y = Hx  + EjU  + £211 


where 
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11^;  p measurement  noise  ~ N(0,  0.0192  rad/sec)  white 

7)^;  r measurement  noise  ~N(0,  0.00698  rad/sec)  white 

, 7)  ; 0 measurement  noise  ~ N(0,  0.00436  rad)  white 
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Eleven  flight  conditions  were  chosen  for  design/analysis.  These  are  summarized  in 
Table  20. 


TABLE  20.  ELEVEN  CHOSEN  FLIGHT  CONDITIONS  FOR  GAIN  SCHEDULING 


r 

FC 

Mach 

Altitude 

(ft) 

Dynamic 
Pressure  (Ib/ft^) 

Angle -of 
-Attack  (deg) 

Airspeed 

(ft/sec) 

Gross 
Weight  (lb) 

D 

n 

0 

133.3 

9.28 

355. 1 

25,338 

B 

0 

533.2 

3.26 

670.2 

tt 

B 

0 

1199.8 

2.20 

1005.2 

If 

B 

m 

15,000 

133.7 

8.45 

423.2 

It 

5 

m 

15,000 

300.9 

4.36 

634.8 

II 

6 

0.9 

15,000 

677.0 

2.75 

952.2 

II 

7 

1.1 

15,000 

1011.3 

2.90 

1163.8 

It 

8 

0.6 

35,000 

125.5 

8.60 

583.9 

11 

9 

0.9 

35,000 

282.4 

4.13 

876.0 

II 

10 

0.227 

0 

76.3 

10. 10 

253.6 

29,240 

11 

0.227 

0 

76.3 

5.36 

253,6 

20,350 

Preliminary  results  using  this  model  showed  that  there  was  great  difficulty  maintaining 
stability  in  the  filter  despite  extensive  gain  scheduling  (i.e. , all  aerodynamic  coefficients 
and  filter  gains).  This  is  due  to  the  presence  of  the  Spiral  Root  near  the  origin  in  all 
11  open-loop  models.  The  closed-loop  design  for  each  condition  maintained  a root  near 
the  origin  (rationalized  as  a high  pass  on  and  subsequent  gain  scheduling  produced 
unstable  filters  for  many  flight  conditions. 

The  solution  to  this  problem  was  to  remove  the  roll  angle,  from  the  measurement 
set  and  use  it  as  an  input  instead.  This  not  only  removes  the  Spiral  Root  from  the 
model  but  also  has  the  following  benefits: 
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• The  order  reduction  is  always  a worthwhile  computational  goal. 

• Boll  angle  is  a good  candidate  because  its  dynamics  are  separated  in 
frequency  from  the  dominant  system  roots,  i.  e. , they  have  much  lower 
root. 

• The  roll  angle  measurement  has  lower  measurement  noise;  therefore,  it 
does  not  cause  deterioration  of  the  Kalman  filter  performances. 

• As  will  be  demonstrated,  gain  scheduling  can  be  greatly  simplified  without 
substantial  performance  penalties. 

The  filter  can  now  be  based  on  the  model  shown  in  Figure  31. 

Design  results  were  obtained  for  a number  of  gain-scheduling  schemes.  These  schemes 
represent  a hierarchy  of  schedules  ranging  from  exact  gain  and  plant  model  reconstruc- 
tion (impossible  from  a practical  standpoint)  to  a constant  parameter,  i.  e. , gain  and 
model  of  the  filter  (the  simplest  possible).  Results  are  presented  in  Table  21.  Residual 
ratio  data  in  Table  21  are  presented  in  Figure  32.  The  trend  lines  demonstrate  the 
performance  degradation  at  the  extremes  of  the  conditions.  Interpretations  of  the  results 
are  as  follows: 

• The  Kalman  gain.  K.  can  be  fixed  at  some  mean  flight  condition.  (Flight 
Condition  #2  is  used  here.) 

• A full  model  gain  schedule  produces  consistent  results  across  the  range 
of  dynamic  pressure. 

• Scheduling  only  the  input  matrix.  C„,  demonstrates  some  performance 

r 

t degradation  but  it  may  be  adequate  for  fault  detection  and  estimation. 

• A constant  gain  system  (FC  #2's  optimal  design  in  this  case)  demonstrates 
unacceptable  performance  at  the  q extremes.  Figure  32  shows  this  for  the 
residual  response  ratio  and  Table  2 shows  residual  correlation  roots  within 

I the  bandwidth  of  the  aircraft  system.  This  is  likewise  unacceptable  since 

the  filter  residual  should  appear  "white"  to  the  system  dynamics:  that  is, 

' the  correlation  bandwidth  should  be  higher  than  the  system. 

t • None  of  the  above  designs  include  the  effects  of  gain  scheduling  the  input 

I dynamics,  1.  e. , 8 , 8 , or  0 . This  would  have  to  be  checked  out  in 

simulation  since  no  reasonable  method  for  including  their  effects  was 
I determined  in  the  linear  analysis. 


Open-Loop  System 

X = Fx  + GjU  + GgTl 
y = Hx  + EjU  + EgTl 


where 

T 

X = (6.  D.  r.  8 ) 


Figure  31.  Final  Lateral-Directional  Filter  Design  Plant 


’^Constant  values  were  obtained  from  optimum  design  at  Flight  Condition  #2 


Figure  32.  A-7D  Lateral-Directional  Axes  Filter  Gain  Schedules 


The  net  effect  of  this  design  exercise  is  a recommendation  that  the  gain  schedule  consist 

of  only  varying  the  measurement  input  matrix,  C_,  and  the  control  input  matrices, 

r Ir 

and  Dt-c,,  with  q.  This  results  in  one  schedule  for  C„,  that  being  a function.  Also,  a 
lx*  r p 

total  of  six  schedules — ^'sr'  ^®a'  g/U^--are  necessary  for  the 
control  input.  A gain  schedule  on  Ap,  was  used  in  the  simulation,  however. 

4.  4 CONCEPT  III— FAULT  ISOLATION  KALMAN  FILTERS 


The  purpose  of  the  Concept  HI  design  is  to  explicitly  attack  the  fault  isolation  problem 
by  increasing  the  number  of  filters  and  choosing  sensor  families  to  selectively  exclude 
measurements.  For  example,  the  lateral-directional  Concept  II  design  described  earlier 
will  produce  error  flags  for  a number  of  input  measurements: 


T 

y 


m 


m 


q) 


m 


For  Concept  III  this  is  modified  slightly  to  exclude  roll  angle,  This  can  be 

accomplished  by  high-passing  all  inputs  above  the  Spiral  Root  frequency.  Working  in 

conjunction  with  two  other  filters,  this  filter  provides  fault  isolation  for  the  three 

measurements,  n„  , P , and  R . Table  22  shows  this  in  truth  table  format, 
jm  m m 


The  longitudinal  axis  filters  are  also  included  in  Table  22,  yielding  a total  of  seven 
filters.  Of  this  total  only  four  are  necessary.  LON  #1  is  shown  because  it  represents 
a starting  point  in  the  design  process.  The  additional  two  filters,  one  lateral  and  one 
longitudinal,  were  added  to  provide  a higher  probability  of  success.  L-D  #3  and  LON  #3 
were  eliminated  during  simulation  evaluation. 


Dynamic  pressure,  q,  is  included  in  all  filter  measurement  families.  This  is  because 
all  filters  are  gain  scheduled  with  q.  Although  not  directly  designed  as  a dynamic 
pressure  error  checking  filter,  a catastrophic  failure  of  the  air  data  system  (hardover 
or  zero  output)  would  greatly  affect  the  operation  of  all  the  individual  filters  and  would 
produce  a unique  bit  pattern  in  the  truth  table. 

The  individual  filter  designs  for  Concept  HI  were  based  on  reasoning  identical  to  the 
Concept  II  gain-scheduled  lateral-directional  diagnostic  filter. 


TABLE  22.  CONCEPT  HI  CANDIDATE  DIAGNOSTIC  FILTERS 

FOR  SUPER -DIAGNOSfiC  FILTER  CONSTRUCTION 


Measurements /Flags 


Filter 


L-D  #1 


L-D  #2 


L-D  #3 


LON  #1* 


LON  #2 


LON  #3 


LON  #4 


’.'‘Designed  as  a starting  point  for  other  designs  and  is  not  a candidate  for 
Concept  III. 

4. 4. 1 Lateral-Directional  Filters 


Four  filters  have  been  designed  using  lateral-directional  acceleration  and  moment 
equations.  The  roll  angle  input  into  the  equations  is  removed  by  high-passing  the  input 
signals  and  controls  above  the  Spiral  Root  frequency.  In  design,  this  eliminates  the 
roll  angle  measurement  noise  from  the  set  of  driving  noise  sources  shown  in  Figure  31. 
Roll  angle  measurement  noise  only  minutely  affected  the  total  estimation  error  and 
residual  RMS  values. 

Figures  33,  34,  and  35  present  results  from  the  design  of  these  reduced  measurement 
filters.  Unlike  the  Concept  II  design,  it  seems  likely  that  a gain-scheduled  plant  matrix, 
A(q),  will  be  necessary  to  insure  filter  performance  across  the  q range. 


The  optimal  gain  matrices  (K’"  s)  proved  to  be  quite  close  to  the  Concept  II  gain  values. 
This  will  reduce  the  on-board  core  which  is  necessary  to  perform  the  calculations  by 
eliminating  new  gain  values  for  each  filter.  Note  that  only  two  filters  are  necessary  for 
fault  isolation  (L-D  #3  was  eventually  eliminated  during  simulation  evaluation). 
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Figure  33.  Diagnostic  Filter  for  n , P,  q (L-D  #1) 


Figure  34.  Diagnostic  Filter  for  n , r,  q (L-D  #2) 


Figure  35.  Diagnostic  Filter  for  P,  r,  and  q (L-D  #3) 


4. 4.  2 Longitudinal  Axis  Filters 


Figure  36  shows  the  continuous  representation  of  the  A-7D  pitch  axis  design  model  used 
for  the  Concept  III  designs.  Phugoid  oscillations  and  trim  are  eliminated  by  high-passing 
all  measurements  and  control  inputs. 

Again,  the  constant  gain,  K,  for  Flight  Condition  #2  proved  to  be  the  best.  Attempts 
were  made  to  gain-schedule  K over  the  flight  envelope,  but  plots  of  gain  values  versus 
dynamic  pressure  produced  extremely  confusing  gain  patterns.  A gain  schedule  for  K 
would  at  best  be  highly  complex  functions  that  would  not  produce  significantly  better 
performance  commensurate  with  this  extra  complexity. 

Figures  37,  38,  and  39  display  residual  ratio  performance  of  these  filters. 

Some  additional  observations  are  the  following: 

1.  The  landing  approach  (FC  #11)  design  evaluations  produced  poor  residual 
ratio  responses  in  some  cases.  These  also  demonstrated  poor  correlation 
properties  (not  shown). 

A redesign  of  the  gains  for  landing  approach  is  probably  indicated;  however, 
it  is  of  interest  to  see  how  effectively  this  design  procedure  indicates  good  or 
bad  performance  in  simulation.  A gain  change  for  landing  approach  can  easily 
be  implemented.  For  example,  this  can  be  done  along  with  landing  gear 
deployment. 

2.  The  extra  longitudinal  filter,  i.  e. , LON  #3  for  n^  and  or,  was  eliminated. 
Repeated  attempts  to  make  this  filter  behave  properly  across  the  flight 
envelope  produced  instabilities  at  one  point  or  another. 

3.  Figure  39  results  show  an  interesting  trade-off.  The  landing  approach  filter 
performance  is  poor  when  the  filter  is  designed  assuming  the  actual  expected 
measurement  noise  values.  This  is  due  to  the  fact  that  stability  is  low  for 
this  condition.  By  increasing  the  measurement  noise  RMS  in  the  design, 
parameter  sensivity  Is  decreased  due  to  better  filter  pole  placement  (i.  e. , 

a pole  near  the  origin  was  moved  to  a more  stable  position). 
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Open-Loop  l^stems 


where 


X = Fx  + GjU  + G^T) 
y = Hx  + EjU  + 
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Figure  36.  Longitudinal  Axis  (Short  Period)  Model 
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Figure  37.  Diagnostic  Filter  for  n^,  q,  a.  q (LON  #1) 


Figure  38.  Diagnostic  Filter  for  n , q,  q (LON  #2) 


Figure  39.  Diagnostic  Filter  for  q,  or,  q (LON  #4) 


This  idea  also  makes  intuitive  sense  for  fault  identification.  By  increasing 
the  measurement  noise,  the  filter  relies  less  on  the  measurements  and  more 
on  the  process  model  to  reconstruct  the  signal,  thus  ensuring  a longer,  more 
pronounced  failure  transient  when  a fault  occurs. 

4.  5 FAULT  DETECTION  MONITORS  FOR  CONCEPTS  II  AND  III 

Design  considerations  for  various  monitors  used  with  analytical  redundancy  schemes 
require  careful  attention.  It  might  be  said  that,  once  the  filter  is  designed,  then  half 
the  battle  is  won.  Design  goals  are  accurate  fault  detection  in  minimum  time  after 
fault  with  an  acceptable  false  alarm  rate  (one  per  1000  flight  hours). 

Two  basic  categories  of  monitors  are  examined.  First,  a set  of  limits  is  chosen, 
based  on  assumed  unfailed  statistical  properties,  i.  e. . means  and  RMS.  The  impact  of 
error  signal  autocorrection  is  examined  since  it  affects  delayed  fault  declarations. 

Second,  sequential  likelihood  ratio  tests  are  designed  for  mean  value  testing  of  analytical 
redundancy  error  signal  and  differences  in  likelihood  functions. 

The  choice  of  a monitor  for  analytical  redundancy  schemes  is  critical  to  the  ultimate 
performance  of  any  scheme.  Various  monitor  ideas  are  being  tried. 

4.  5. 1 Error  Signal  Monitor  with  Delayed  Declaration 

The  simplest  test  one  can  apply  to  an  error  signal  is  to  check  its  magnitude  against 
predefined  limits.  Figure  40  shows  this  scheme.  The  monitor  level  magnitude  is 
placed  at  a value  specified  as  a multiple  (m)  of  the  unfailed  error  signal  RMS  {a),  m is 
chosen  for  an  acceptable  false  alarm  rate. 

Using  a multiple  trip  criterion,  i.  e. . declaring  a fault  only  when  the  limit  is  exceeded 
"n"  consecutive  times,  a much  lower  false  alarm  rate  can  be  achieved  than  by  using  a 
first  trip  monitor  level.  Just  how  much  lower  depends  upon  the  signal's  autocorrelation. 

Given  a discrete  random  error  signal,  i.e. . with  Gaussian  Markov  properties. 

e^^j  • Ae^  + 7|j  : <-N(0.  o^)  white  (36) 
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Figure  40.  Trip  Boundaries  for  Error  Signals 
E[ej\j]  = E[ef]  « aj  ^37, 

i 

= Act^  (38) 

The  correlation  coefficient  between  p^,  e^,  and  e^^j  is  therefore 

Pc  = A (39) 

The  probability  that  an  unfailed  error  signal  will  exceed  a level  mcr  (indicating  a false 
alarm)  is 


P(m)  = P(ej  > mo  or  e^  < -mcr)  ® 2[1  - •(m)]  (40) 

where 

1 *"  2 

#(m)  » r exp  (-Z  /2)  dz  (41) 

and  z is  a dummy  variable. 
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For  two  consecutive  trips  the  false  alarm  probability  is 


P9(ni)  = 2[P(m,  +m;  o ) + P(m,  -m;  p )1 
“ c c 

where 

P(m, m;  p ) = P(e  > ma  and  e.,,  >ma  ; p )* 

C I 1+1 

P(m.  -m;  p ) = P(e.  >ma  and  e.  .,<-ma  : p ) 

C 1 1+1 

Now 

P(m,  m;  p ) = 1 - 2f{m)  + F(m,m;  p ) 

where 

1 m m 

F(m.m;  p^)  = _ J J exp  [-(x  - 2p^xy  +y  )/2]  dxdy 


but  this  can  be  transformed  (Reference  35) 


2 

F(m,m;  p^)  * | fm)  + R(m.+m;  p^) 


where 


-k 

R(m,+m;  p ) = — J*  exp  t-m^/(l  + z)]  (1  - z^)  dz 


Likewise 


P(m,-m;  P^)  = 1 - 2*(m)  + «^(m)  - R(m,-m;  p^) 

where 

R(m.-m;  p^)  exp  [-m^/(l  - z)]  (1  - z^)  dz 

We  can  finally  express  P2(m)  in  terms  of  P(m) 


(42) 


(43) 

(44) 

(45) 

(46) 

(47) 

(48) 

(49) 

(50) 


P(x:y)  = probability  of  x given 


y- 
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For  three  consecutive  trips  using  the  Markovian  property, 

P3(m)  = P2(m)/P(m)  (51) 

A recursive  relationship  exists  from  here  on: 

Pk(m)  = • P2(m)/P(m)  (52) 

where  k = number  of  consecutive  trips  (k  > 2). 

The  correlation  enters  in  the  S(m:  p)  term  of  Equation  (50).  This  must  be  integrated 
numerically. 

False  alarm  probabilities  for  various  monitor  levels  and  correlations  are  shown  in  Figure 
41.  Results  demonstrate  a deteriorating  performance  in  the  monitor  for  increasing 
correlation.  The  bounds  on  performance  are: 


and 


P (m)  = P(m)  for  p » 0 
n c 


P (m)  = P(m)  for  p =1 
n c 


Analytical  redundancy  modeling  simplifications,  such  as  neglecting  nonlinearities, 
unavailable  inputs,  and  wind  gusts,  result  in  increases  in  both  RMS  and  correlation  in 
the  error  signal  during  application.  RMS  increases  can  be  handled  by  scheduling  the 
monitor  level  with  the  maneuver  variables;  however,  care  must  be  taken  to  ensure  that 
the  monitor  level  is  not  driven  further  than  the  error  during  a fault. 

Choosing  the  number  of  consecutive  trips  involves  a trade-off  between  model  error 
insensitivity  and  fault  detection  reaction  time.  Three  consecutive  trips  are  commonly 
used  for  sensor  comparison  monitors;  however,  multiple  threshold  levels,  i.  e. , higher 
threshold  levels  with  less  delay,  might  prove  beneficial  for  catching  catastrophic  faults 
such  as  hardovers  while  lower  threshold  levels  with  delay  would  be  more  sensitive  to 
slow  failures  such  as  a bias  drifting  out  of  specification. 


P(K:  .,X„  , X ) - P(X^;  X^  .) 

n n-1  n-2  l n n-l 
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(FALSE  AIARM) 


Thus  far  the  discussion  of  monitors  has  been  concerned  with  exceeding  trip  boundaries 
and  the  impact  of  signal  correlation  on  accidentally  tripping  a number  of  times  consecu- 
tively. We  now  need  to  examine  the  number  of  boundary  crossings  over  a given  period 
of  time. 

Using  the  required  false  alarm  rate  of  one  per  1000  flight  hours,  the  false  alarm  specifi- 
cation for  one  hour  of  flight  is  given  by  the  following  Poisson  distribution  calculation: 

-XT 

P(0)  = P(zero  false  alarms)  = e 


where 

X = 1 X 10  ^ (1  failure/hour) 

T = 1 hour 

Therefore, 

P(0)  * 0.  999 


This  probability  must  match  up  with  the  probability  that  the  sequence  of  random  variables 

j 1 — l,...,n 

representing  a sampled  error  signal  stays  within  the  trip  boundary,  i.  e. , 

” "XT 

P(n  X,)  = e * 

i=l 

for  a one-hour  flight  with  20  samples  taken  per  second  and  n = 72,000.  If  the  sequence 
is  uncorrelated  (independent),  then  we  have 

Case  I:  Independent  sequence 

n n 

^*i2l^i^  = P(Xj)  = n P(Xj) 

Finally,  the  required  false  alarm  boundary  is 

P(|Xj>mo)  » 1 - - 1.39  X lO"® 

This  low  figure  would  require  "m"  to  be  very  hlghf  Using  a triple  trip  criteria. 


* 


Normal  probability  tables  do  not  give  numbers  in  this  extreme  range. 
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-8.3 


P(|Xj|>ma;  3 consecutive  times)  = (1.39  x 10  ) 

.-3 


= 2.40  X 10 


This  corresponds  to 


m * 3. 1 


As  noticed  earlier,  adding  correlation  into  the  sequence  shows  a monitor  performance 
deteriorization.  However,  the  correlation  impact  on  the  number  of  boundary  crossings 
for  the  entire  sequence  (1  hour)  shows  some  improvement.  This  is  because,  although 
the  time  spent  above  the  trip  boundary  is  longer  for  a correlated  sequence,  the  number 
of  crossings  is  lower.  Plotting  values  of  monitor  level  versus  correlation  necessary 
to  meet  the  false  alatmi  specification  is  difficult.  The  upper  bound  can  be  calculated, 
however; 

Case  11;  ' I-  total  sequence  dependence 

Lim  n = 1 
Pc-1 

Therefore 


P(  |Xj  I > mo;  3 times)  * P(  |X.  | > ma ; 1 time) 


10 


-3 


From  this  analysis,  it  is  hypothesized  that  one  needs  to  set  a triple  trip  monitor  above 
3. 3a  for  a given  error  signal  to  meet  the  false  alarm  rate  specification  of  one  trip 
allowed  per  1000  flight  hours. 


*3. 5 used  in  simulation. 
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4.5.2  Sequential  Likelihood  Ratio  Tests 


Hypothesis  testing  is  a popular  technique  for  monitor  design  for  analytical  redundancy 
(References  8 and  36).  Likelihood  ratio  tests  are  based  upon  two  hypothesized  density 
functions  of  a random  variable  fQ(x)  and  fj(x).  The  likelihood  ratio  is  expressed  as  a 
function  of  the  random  variable  observations,  x^'s: 

. W^2 V 

n‘  fi(Xj.X2.....x^) 

The  hypothesized  outcomes,  Hg  and  are  accepted  or  rejected  based  on  the  following: 

1.  Accept  H-  if  A < A 

0 n — 

2.  Accept  if  > B 

3.  No  decision  if  A < A < B 

n 

where  B > A. 


One  good  hypothesis  test  situation  involves  testing  the  mean  value  (u)  of  a given  error 
signal  (e.),  i.  e. , 


where 


®2'  ■ • "®n^  ■ ^ ®*P 


^<V®2 V 


[^r^(®i-,0)^/2a2j 
P (e.  - ui)^/2a^l 

IL'^  J 


(54) 


(55) 


Hg  implies  E(ej)  = Ug 
implies  E(ej)  = 


Setting  up  the  no  decision  criterion 


A < 


exp 


n 

-Tie 

i“l 


exp 


n 

-Tie. 
i«l  ^ 


- 


<B 


(56) 
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Using  the  natural  log  of  this  is  more  convenient. 


**  2 2 2 
Ln  A < E (e  - p,  ) - (e.  - /2ct  < Ln  B 
i=l  IV 


Case  I; 


Uq  = 0:  Process  proceeding  normally  with  no  failure 
Uj  = mo:  Process  mean  has  shifted 
A = 1/B 


Equation  (57)  becomes 


mno  oLn  B ^ _ mno  . oLn  B 

< s e.  < —5—  + — — — 

i m . . 1 2 m 

1=1 


Figure  42a  shows  the  decision  criteria  as  a function  of  n. 


Case  II: 


(uq  = 0,  = -mo.  A = 1/B) 


Equation  (57)  becomes 


mno  ^ gLn  B ^ ^ _ mno  ^ pLn  B 

2 “ m . ®i  " 2 m 

1=1 


Figure  42b  shows  this  case. 

In  application,  a combination  of  Case  I and  Case  II  is  used.  Let  B = 20,000  and  m * 4.0. 
A combined  test  consists  of: 


1.  Accept  H if  E e.  < (2.  OOn  - 3. 13)o 
i=l  ^ 


2.  Accept  H if  E e.  > (2.  OOn  + 3. 13)o 
i=l  ^ 


3.  Make  no  decision  if  (1.  95n  - 1.  95)o  < E e.  < (2.  OOn  + 3. 13)o 

i=l  ^ 


Figure  43  shows  this  graphically. 
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The  testing  procedure  consists  of  Initializing  at  n=l  and  updating  the  sum  each  computa- 
tional cycle.  The  sequence  is  restarted  when  hypothesis  is  accepted  or  the  process 
runs  a fixed  length  of  time  (1  sec)  without  a decision.  The  other  alternative  is,  of  course, 
a fault  declaration  (H^  accepted). 

Frequent  restarts  are  desired  because  lengthy  sequences  show  less  sensitivity  to  new 
data.  In  practice  this  problem  has  not  surfaced  since  restarting  usually  occurs  after  no 
more  than  three  sums. 


Correlated  signals  also  affect  the  operation  of  this  monitor.  Although  theoretically  there 
is  no  change  in  the  false  or  missed  detection  probabilities,  correlated  error  signals  do 
affect  restart  frequency.  An  uncorrelated  sequence  reaches  a decision,  either  or 
H^,  with  probability  1 (Reference  36).  This  cannot  be  demonstrated  for  correlated  signal 
samples. 

4,5,3  Comparison  of  Likelihood  Functions 


For  a given  set  of  n Kalman  filter  residual  (n^-vector)  sequences  v.;  i ® 1,2, 
the  log  likelihood  function  is 


-IT 

Z (v^B  v/  + Ln  det  B) 


n, 


(60) 


where 


BsEfv.  V.  1 (n  xn  covariance  matrix) 
11  r r 


The  random  variable  has  a chi-square  distribution  with  n^  degrees  of  freedom. 

Using  a second  sensor  set  with  identical  statistical  characteristics,  l.e.,  noise,  bias, 
scale  factor,  a likelihood  difference  can  be  constructed; 


AL  . 
n n 


2)  = 1 ^ <2)_-i((2ir  (i)„-i|  (ir 


(61) 


From  a practical  standpoint  this  is  assumed  to  be  normally  distributed.* 


This  distribution  Is  symmetric;  however,  more  values  exist  at  the  extremes  about  the 
mean  than  for  a normal  distribution.  This  must  be  accounted  for  In  monitor  level 
calculations. 
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The  above  error  signal  is  used  along  with  comparison  monitors  to  provide  a fail-op  dual 
sensor  set  (Figure  44). 

The  two  hypotheses,  however,  differ  from  previous  applications; 

1.  Hq  implies  sensor  set  1 has  failed. 

2.  implies  sensor  set  2 has  failed. 

A sequential  likelihood  ratio  test  of  mean  value  results  in 
Pq  = + ma 

= - ma 

This  results  in  one  of  the  following  decisions; 


1. 

Accept  H if  aL  2 ? 

*^0  n 2m 

2. 

Accept  If 

3. 

Make  no  decision  if 

oUn  B 

< A^n  < 2m 

As  before,  the  logic  will  proceed  to  a decision  (H^  or  H^)  with  probability  1.*  Because 
the  no -failed  hypotnesis  is  not  included,  the  test  can  only  proceed  when  a failure  is  known 
to  have  occurred.  The  failure  indication  is  supplied  by  the  comparison  monitors. 

Using  a delayed  declaration  on  the  comparison  monitors,  the  likelihood  mean  test  Is 
Initiated  after  the  first  trip.  If  the  third  consecutive  trip  occurs,  resulting  in  a fault 
declaration,  the  hypothesis  <H^  versus  H^)  test  Is  Initiated  to  isolate  the  faulted  sensor. 

The  net  effect  of  this  arrangement  Is  two  error  flags,  as  shown  in  the  truth  table  in 
Figure  44.  Because  the  likelihood  functions  used  can  only  increase*'*'  in  a fault  situation, 
the  direction  (+  or  -)  of  the  test  sequence  provides  the  extra  information  needed  to  deter- 
mine which  set  contains  the  failed  sensor. 


* 


Assuming  an  uncorrelated  sequence. 

Assuming  the  Kalman  filter  model  correctly  represents  the  physical  system. 
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SECTION  5 


A-7D  SIMULATION  EVALUATION 


5.1  SIMULATION  SETUP 

The  three  concepts  were  simulated  on  a double  hybrid  computer  setup*  with  the  workload 
split  as  shown  in  Figure  45.  The  use  of  two  digital  computers  afforded  extra  core  and 
frame  time  to  perform  the  aircraft  dynamic  simulation,  fault  detection,  and  monitor 
schemes,  plus  some  added  evaluation  capability  and  record  keeping  such  as; 

• Statistical  analysis  of  signals 

- Mean 

- Standard  deviation 

Peak  values  and  time  of  occurrence 
> Autocorrelation  calculations 

• Monitor  flag  history  record 

• Parallel  concept  evaluation  (Concept  I versus  Concept  II) 

A more  detailed  discussion  of  the  simulation  setup  appears  in  Appendix  B. 

5.2  FALSE  ALARM  TESTS 

Perhaps  the  most  demanding  aspect  of  the  simulation  was  the  false  alarm  analysis  con- 
ducted on  the  algorithms.  The  reasons  for  this  are; 

1.  Careful  analysis  of  such  runs  must  be  made  to  determine  the  exact 
nature  of  the  trip  and  the  corrective  action.  Fault  evaluation  runs, 
on  the  other  hand,  were  pretty  much  "let-the-chips-fall-where-they- 
may"  since  redesign  of  a monitor  level  was  precluded  after  the  false 
alarm  tests. 


*The  simulation  used  two  separate  hybrid  computers,  each  with  an  analog  and  digital 
portion,  connected  through  an  analog  link. 
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ANALOG  INTERFACE 


Figure  45.  Sigma  5 — Pacer  100  Hybrid  Simulation 


2.  Fault  detection  runs  are  generally  shorter  in  length,  i.e.,  most  were 
under  12  seconds  in  duration.  False  alarm  runs  included  hours  worth 
of  noise  test  for  each  concept  (30  min  at  each  of  three  flight  conditions) 
plus  numerous  deterministic  tests. 

False  alarm  inputs  include  combinations  of  the  following: 

• Six  ft /sec  random  gust  runs  at  three  flight  conditions 
(a  total  of  6 million  random  numbers  generated): 

- Lowq;  h * 1,000';  » 335, 1 ft /sec  (M  = 

Medium  q;  h *15,000';  • 750.0  ft/sec  (M  = 

Highq:  h - 2,000';  * 1,  005  ft /sec  (M  = 

• Pitch  maneuvers  up  to  2 commands 

• Roll  maneuvers  (60°  roll  in  1 sec) 

• 30  ft/sec  "l-cos"  a gusts  at  three  flight  conditions  (yj 

1 • 30  ft/sec  "l-cos"  6 gusts  at  three  flight  conditions  (uj 

I 

j 5.2.1  False  Alarm  Results 

‘ The  results  of  false  alarm  tests  are  a set  of  nominal  monitor  values,  some  monitor 

schedules,  and  a performance  disclaimer  about  discrete  gusts  at  low  dynamic  pressure. 
Final  monitor  values  are  given  at  the  end  of  this  subsection. 

All  runs  were  made  with  different  random  numbers.  Nominal  sensor  characteristics 
were  chosen  at  random  at  the  start  of  each  run  using  RMS  values  for  bias,  scale  factor, 
and  misalignment  listed  in  Section  3.  High-frequency  noise  was  inserted  during  each 
time  frame, 

q Schedules  on  Acceleration  Residuals — Evaluation  of  all  concepts  took  place  at  three 
flight  conditions;  low,  medium,  and  high  dynamic  pressure.  Certain  residuals  on 
accelerations  for  Concepts  II  and  III  (all  associated  with  the  gain-scheduled  filters)* 
exhibited  increased  acceleration  responses.  This  result  was  expected  since  residual 
covariance  responses  obtained  during  design  predicted  this.  The  trend  is  very  con- 
sistent and  predictable  with  q. 


*Both  Concept  I's  (a,  n^)  and  Concept  II's  (h,  «,  0,^)  filters  were  unaffected  by  dynamic 
pressure  changes. 


for  ^ hour  each 

0.3) 

0.6) 

0.9) 

i 

I 

4 

= 2ff  rad/sec)  i 

* 2ff  rad/sec)  j 
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A q monitor  schedule  for  these  residuals  was  designed.  The  alternative  of  running  the 
monitors  at  the  constant  high  level  (at  high  q)  demonstrates  poorer  monitor  performance 
at  lower  q flight  conditions.  Much  of  the  fault  evaluation  for  acceleration  failures,  there- 
fore. took  place  at  the  high  q condition. 

Roll  Monitor  Uplogic- -Gene rally  speaking,  the  guidelines  for  adjusting  monitors  during 
maneuvers  consisted  of  increasing  individual  levels  until  acceptance  was  achieved.  One 
difficulty  encountered  during  the  roll  maneuver,  however,  so  affected  all  lateral-axis 
monitors  in  all  three  concepts  that  a special  adjustment  was  in  order.  When  the  monitor 
logic  was  set  at  values  determined  by  other  inputs,  i.e.,  random  gusts,  "1-cos"  B gusts, 
and  pitch  maneuvers,  the  filters  responded  well  to  inputs.  However,  the  60°  in  one 
second  roll  maneuver  resulted  in  relatively  severe  transients  in  all  monitors  associated 
with  the  following  roll  variables; 


• The  error  signal  on  the  P filter  in  Concept  I, 

• Residuals  on  n^,  P,  and  R filters  in  Concept  II. 

• Residuals  on  n^,  P,  and  R filters  in  Concept  III, 

The  reasons  for  the  excessive  transients  (in  some  cases  five  times  the  value  needed  to 
handle  random  gusts)  were  a combination  of  sample  rate  and  hybrid  computer  Euler 
angle  integration.  One  notion  was  to  Increase  the  sampling  frequency,  however,  this 
resulted  in  increased  error  signal  correlation  (resulting  in  the  need  to  increase  monitor 
levels)  and  it  reduced  the  available  computer  frame  time. 

The  solution  was  to  employ  known  information  about  maneuvers  but  not  sensor  informa- 
tion, i.e.,  the  roll  command.  Figure  46  outlines  the  design  used  to  "up"  roll  monitor 
magnitudes  during  pilot  maneuvers. 


The  design  is  based  on  stepping  up  the  affected  monitors  immediately  upon  receiving  a 
roll  command  from  the  pilot.  The  magnitude  of  the  uplogic  is  proportional  to  the  stick 
command  rate.  The  logic  is  designed  to  maintain  a constant  level  of  monitors  "up," 
I.e.,  at  a higher  monitor  level,  for  the  duration  of  the  residual  transient  (taken  to  be 
about  1 sec).  If  no  further  pilot  commands  are  given,  which  would  result  in  the  uplogic 
staying  "up,"  the  monitor  decays  (t  ■ 0.33  sec)  to  its  original  value. 


The  addition  of  a "fix"  of  this  type  carries  with  It  a natural  concern  for  the  system  per- 
formance during  piloted  maneuvers.  For  this  reason,  many  of  the  fault  evaluations  for 
the  affected  monitors  were  conducted  during  the  roll  maneuver. 
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hm  Uplogic  on  Vertical  Gust  Estimators --Although  it  was  never  really  evaluated,  it  should 

be  noted  that  during  landing  approach  some  gust  models  (Reference  38)  contain  an  ever- 

increasing  bandwidth  on  the  vertical  gust  component.  This  is  tempered  somewhat  by  a 

lower  RMS,  but  time  constants  can  get  as  low  as  0. 11  sec.  The  effect  on  filters  designed 

with  vertical  gust  estimators,  even  if  this  is  taken  into  account,  is  to  cause  observability 

problems,  i.e.,  no  inherent  frequency  separation  from  other  states.  The  net  effect  is 

higher  residual  RMS.  Compensation  in  the  fault  detection  monitors  might  be  necessary 

and  an  h schedule  would  be  in  order, 
m 

"l-cos"  or  Gust  at  Low  q--Monitors  for  the  pitch  axis  gain-scheduled  filters  in  Concept  III 
did  not  successfully  pass  the  1 Hz  discrete  gust  input  test  at  low  q.  The  Kalman  filter 
design  process  resulted  in  decreasing  filter  bandwidth  with  decreasing  q.  Rather  than 
increase  monitor  values  to  pass  this  test,  the  approach  taken  was  to  simply  ignore  per- 
formance for  this  magnitude  and  frequency  of  gust  at  low  q. 

5.2,2  Monitor  Values  After  False  Alarm  Evaluation 

Monitors  were  adjusted  during  false  alarm  tests  using  various  criteria; 

1.  Random  Gust  Evaluation  (6  ft /sec  RMS  - hours  on  each  concept). 

• Multiple  Trip  Monitors  - Statistically  determined  RMS  values 
and  the  false  alarm  analysis  in  Section  4 were  used  to  determine 
acceptable  monitor  levels  for  Concepts  II  and  III. 

Concept  I monitors,  originally  designed  as  presented  in 
Section  4,  were  adjusted  to  meet  statistically  determined 
RMS  values. 

• Sequential  Likelihood  Ratio  Tests  (SLRT)  - Concepts  II  and  III 
were  run  with  residuals  operating  on  both  the  multiple  trip 
monitors  and  the  SLRT  monitors.  Using  the  basic  develop- 
ment of  Section  4,  individual  monitors  were  adjusted;  how- 
ever, final  monitor  levels  were  affected  more  by  maneuvers 
than  by  turbulence. 

2.  Pitch  Maneuver  (2-g  pitch  command  at  three  flight  conditions). 

• Multiple  Trip  Monitors  - All  concepts  were  unaffected  by 
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pitch  maneuvers.  Residual  values  stayed  within  monitor  levels 
determined  by  random  gusts. 


• SLRT  Monitors  - Some  monitors  in  Concept  III  needed  slight 
adjustment. 


3.  Roll  Maneuver  (60°  in  1 sec  command  at  three  flight  conditions).  All  monitors 
on  roll  variables  had  to  be  adjusted  to  account  for  this  maneuver. 

4.  Discrete  a gust  (W  » 30  ftfs  [1  - cos  (2irt)3  for  I sec).  Concept  III 
pitch  axis  filters  failed  this  test  for  the  low  q flight  condition.  Redesign 
was  not  performed  due  to  the  low  probability  of  this  input  in  real  situa- 
tions. This  input,  therefore,  provides  the  limiting  condition  for  Concept 

III  pitch  axis  designs.  Optimum  bandwidths  (based  on  random  gusts)  are  too 
low  to  effectively  counter  this  high-frequency  gust. 

5.  Discrete  0 gust  (V  » 30.0  ft/s  [1  - cos(2irt)']  for  I sec).  Monitor 
adjustments  on  lateral  axis  gain -scheduled  filters  in  Concepts  II  and 
III  passed  this  test. 

6.  Other  maneuvers  that  performed  with  no  nuisance  trips  were: 

• Roll  to  70°  in  five  seconds,  and 

• Coordinated  turn  at  ^ ■ 40°. 

Tables  23  and  24  show  the  monitor  values  used  for  fault  detection  evaluation. 


TABLE  23.  FINAL  MONITOR  LEVELS  (CONCEPT  I) 


Filter 

Monitor  Level 

Roll  Monitor 

Level 

(A/unlt  roll  up  logic) 

1.  P< (drg/sec) 

4.0>0.  OWP  / 
ni 

30,0 

2.  Q<<drg/sec) 

s.s  ♦ o.oMfq  / • o.oossfp  / 

m m 

- 

3.  Rcldeg/sec) 

4.0  • 0,0ii/R  / » 0,0053/P  / 
vn  m 

- 

*■  "*,**'•> 

3.0  • 0.015/Q  / • 0.35/n  / 

m 

*V  <0.  54  4 0.0342/Q  / 

» 0.0353/p  >)ftS2.n  X 57.  3> 
m 

5.  h«(ft/fiec) 

721.0  • 0.028/U  / . r 3 /h/ 
m 

- 
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TABLE  24,  FINAL  MONITOR  LEVELS’!"  (CONCEPTS  II  AND  III) 


c 

0 

N 

c 

E 

P 

T 

FILTER 

RESIDUAL 

OR 

ERROR 

SIGNAL 

6 ft/sec 

GUST 

INPUT 

RMS 

MED.  q/HIGII  q 

LEVEL 

FOR 

MULTIPLE 

TRIP  MONITOR 

HIGH 

q 

MONITOR 

LEVEL 

SLRT 

MONITOR 

LEVEL 

— 

ROLL 

MONITOR 

LEVEL 

0 - P 
m m 

1.  Vg(rad) 

0.00321 

0.0033 

0.0033 

0.017 

9 - q 

m 

2.  Vg(rad) 

0.00279 

0.0033 

0.0033 

‘»'m'«m 

3.  vy^(rad) 

0.00276 

0.0030 

0.0030 

II 

"'•ii 

4.  Vf, 

31.2 

40.0 

40.0 

"zm 

5.  (rad) 

0.00320 

0.0050 

0.0070 

%• 

6.  vny(ft/sec2) 

1.09/1.43 

1.20 

2.0 

1.5 

3.0 

7.  V?  (rad/sec) 

0.0023 

0.030 

0.04 

0.15 

8.  Vr  (rad/sec) 

0.0084 

0.012 

0.015 

0.10 

1.  vn^(^t/sec^) 

2.62/5.67 

4.3 

6.2 

4.8 

Qm 

2.  Vg  (rad/sec) 

0.0080/. 010 

0.012 

0.012 

'^m. 

3.  Vg  (rad/sec) 

0.0086/. 0130 

0.020 

0.020 

«'m 

4.  Va  (rad/sec) 

0.0035/. 0037 

0.0035 

0.0050 

III 

% , 

5.  Vn  (^t/sec2) 

y 

1.15/1.47 

1.25 

2.0 

1.25 

1.4 

«m 

6.  Vp  (rad/sec) 

0.0076/. 0077 

0.010 

0.010 

0.04 

n 

^m. 

7.  Vn  (^t/sec^) 

"y 

1.16/1.52 

1.25 

2.5 

1.25 

1.4 

"m 

8.  Vp  (rad/sec) 

0.022/. 022 

0.025 

0.025 

0.30 

F 

*’"'j  . Pm2 
Compare 

AP  (rad/sec) 

0.0136 

0.018 

N/A 

A 

I 

L 

1 

0 

AQ  (rad/sec) 

0.0050 

0.006 

N/A 

Compare 

**mj  - Am2 

AR  (rad/sec) 

0.0050 

0.006 

N/A 

Compare 

Likelihood 

Difference 

avjrad^) 

0.171 

N/A 

0.5 

•Monitor  levels  ere  defined  here  to  be  the  RMS  values  sent  to  the  multi-trip  monitor  and  sequential 
likelihood  ratio  test  routines.  Scaling  as  per  Section  4 development  was  then  performed. 
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5,2.3  Fail  Operational  Monitors 


Some  minor  adjustments  on  the  fail -ope  rational  comparison  monitors  were  made  during 
the  false  alarm  runs.  These  monitors  are  the  constant  level,  triple  trip  type.  Actual 
A-7D  monitor  levels  were  not  used  for  two  reasons: 

1,  A-7D  comparison  monitors  operate  at  higher  sample  rates.  If  allowed 
to  operate  at  the  sample  rate  used  in  this  study,  their  thresholds  would 
probably  be  too  high, 

2.  The  objective  of  this  design  is  to  evaluate  the  SLRT  for  differences  of 
likelihood  functions  (as  described  in  Section  4).  There  is  only  one  real 
issue.  When  asked  to  decide  which  diagnostic  filter  contains  this  fault, 
this  monitor  can  do  one  of  three  things:  decide  on  the  right  sensor  set, 
decide  on  the  wrong  sensor  set,  or  decide  later.  The  ability  to  make 
the  right  isolation  decision  at  the  earliest  time  was  the  test  objective. 

5.3  FAULT  DETECTION  SIMULATION 

5.3.1  Fault  Insertion 


Section  3 outlines  the  various  faults  encountered  by  each  sensor.  For  purposes  of 
simulating  these  faults  in  a fashion  best  suited  to  evaluation,  the  following  faults  were 


at  prescribed  insertion  times: 

Hardover  (plus): 

S 

*o 

» max  value 

Hardover  (minus): 

= min  value 

Dead; 

s. 

= 0 

o 

Bias; 

Sx 

O 

= S^  +tcT.  (i.e.,  1 a,  of  bias /sec) 

D D 

Scale  Factor  1: 

% 

» . 75  S„ 

*I 

Scale  Factor  2; 

S. 

o 

- .50  S_ 

*I 

Dynamic  Response; 

Sx 

O 

» S_  /(t_s  + 1):  T-  ■ 1 sec 

£ C C 

where  S Is  the  sensor  output  after  failure  input,  and 
o 

S is  the  sensor  input. 

*I 
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5.3.2  Recovery  Modes 

Recovery  modes  consisted  of  simply  removing  the  fault.  For  redundant  sensors  (n  , 

^m 

n^  , P__,  Q_,  R ) this  simulated  replacing  the  bad  sensor  with  a good  one.  For 
m m m ■-  o cj 

non-redundant  sensors  the  insertion  of  the  original  sensor  has  no  meaning  other  than  to 
signify  that  the  fault  was  detected  for  plotting  purposes. 

Recovery  modes  deserve  more  careful  attention  than  was  given  them  in  this  study. 
Although  unsophisticated,  the  scheme  used,  when  operating  with  a sensor  consistency 
monitor  (discussed  next),  performed  adequately  in  all  cases  with  no  catastrophic  tran- 
sient resulting  from  the  recovery.  A recommended  alternative  which  was  not  tried  will 
be  discussed  later. 

5.3.3  Sensor  Consistency  Monitor 

At  the  outset  of  this  study,  the  baseline  constraint  on  the  analytical  redundancy  algorithms 
was  that  the  recommended  system  be  implemented  into  the  A-7D  on-board  computer 
(Honeywell-301).  Due  to  this  constraint,  it  was  necessary  to  keep  the  sample  rate  as 
low  as  possible.  At  20  samples /sec,  the  fault  tolerant  algorithms  have  a built-in  delay 
in  identifying  faults,  particularly  if  multiple  trips  are  used  to  declare  a fault.  It  is  likely 
that  if  catastrophic  faults,  i.e.,  hardover  sensors,  are  allowed  to  pass  through  the  com- 
puter, a difficult  recovery  task  results  regardless  of  how  well  the  monitor  works. 

The  algorithms  tested  were  supplemented  by  a sensor  consistency  monitor  which  com- 
pared the  data  from  each  sensor  with  past  inputs.  If  the  new  value  is  not  within  some 
prjBScribed  deviation  from  the  immediate  past  value,  the  old  data  point  is  substituted  for 
it.  This  procedure  possesses  no  performance  problem  if  the  fault  is  discovered  quickly, 
but  it  would  cause  problems  if  the  fault  were  not  detected. 

The  simulation  allowed  the  entire  fault  to  reach  the  control  system  for  one  entire  sample 
time  of  the  fault  diagnosis  frame.  This  roughly  simulates  the  fault  detection  schemes 
operating  at  a much  lower  sample  rate  than  the  control  schemes.  It  is  recommended 
that  the  sensor  consistency  monitor  be  implemented  at  the  highest  sample  rate,  thereby 
not  allowing  any  sensor  hardovers  to  propagate  into  the  control  scheme. 

It  la  further  recommended  that  this  scheme  be  Investigated  as  a possible  recovery  mode 
transition  filter.  Instead  of  substituting  a past  value  when  an  inconsistency  is  discovered. 


130 


one  should  substitute  the  previous  value  plus  some  portion  of  the  current  measurement. 

This  would  then  operate  completely  independently  of  the  fault  detection  schemes  and  force 
a gradual  recovery  from  a dead  sensor  to  its  substitute  which  may  be  at  a much  Is^rger 
magnitude  by  the  time  a fault  is  detected.  Admittedly,  some  portion  of  a hardover  sensor 
output  would  also  propagate  through  the  system  and  thus  a design  trade-off  for  choosing 
these  levels  should  be  performed. 

5.3.4  Fault  E)etection  Evaluation  (Concepts  I and  II) 

The  procedure  for  performing  fault  evaluation  runs  for  Concepts  I and  II  was  aided  by  the 
capability  to  run  these  two  concepts  in  parallel.  First  a complete  fault  insertion  set  of 
runs  was  made  using  Concept  I monitors  for  recovery.  Then  the  procedure  was  switched 
to  Concept  II  recovery  monitors  using  sequential  likelihood  ratio  test  (SLRT)  monitors.  For 
all  runs,  both  concepts  were  evaluating  the  faults  with  a running  history  of  error  flags 
being  recorded  for  printout  at  the  end  of  a given  fault  run.  Concept  II  also  ran  with  both 
monitors  (multiple  trip  and  SLRT)  evaluating  filter  residuals.  This  procedure  obtained 
two  sets  of  fault  evaluations. 

For  all  runs,  the  random  gust  generator  was  set  to  a value  of  3 ft/sec  for  all  three  axes 
gust  components.  The  goal  here  was  to  not  assist  the  fault  detection  with  high  gust 
levels . 

Results  for  the  Concept  I and  II  evaluation  are  shown  in  Table  25.  Complete  strip  chart 
outputs  appear  in  Appendix  D. 

Not  show.i  in  Table  25  are  the  results  from  the  SLRT  test  of  likelihood  functions  of  two 
sets  of  sensors  with  identical  filters  (body  rate  Euler  angle  filters).  The  main  issue 
here  was  whether  this  test  would  provide  the  fault  isolation  necessary  for  the  fail -op 
capability.  In  all  cases  the  decision  was  made  within  one  extra  sample  frame  from  the 
time  the  comparison  momtor  asked  for  a decision. 

5.3.5  Fault  Detection  and  Isolation  (Concept  PI) 

Concept  ni  results  are  shown  In  Table  26.  This  evaluation  took  place  for  six  sensors;  a 

n 

n*  . Q f *nd  R . Two  additional  sensors  can  be  added  to  this  list  by  using 

m >m  m m m jo 

Concept  n's  LON  #2  filter  for  faults  and  the  lateral  axis  filter  for  faults. 
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TABLE  25.  CONCEPTS  I AND  II  SIMULATION  COMPARISONS 
CONCEPT 

I 1 1 -HON I TORS 

FLIGHT  CONDITION,  HANEUVER  SENSOR  FAULT  I SLRT  I MULTI-TRIP  (MT)  RECOVERT  SUBJECTIVE  CONCEPT  WINNER  COfWENTS 


notation;  n refers  to  the  corresponding  error  signal  or  residual  number  In  Table  23for  the  concept  Indicated,  m refers  to  the  order  In 
Ich  detection  occurs.  Ties  are  Indicated  with  the  same  number. 


TABLE  25.  CONCEPTS  I AND  H SIMULATION  COMPARISONS  (concluded) 


COMMENTS 

Expected  result 

42.95  sec  detect  time 

Expected  result 

Surpri sing-29. 7 sec 
(Very  quick) 

— 

SUBJECTIVE  CONCEPT  WINNER 

All  good 

All  good 

11  - SLRT 

11  - SLRT 
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1 - M.T. 

1 - M.T. 

Bias  Estimation 

All  lose 

’ - M.T. 

All  good 

11  - SLRT 

All  lose 

All  lose 

11  - SLRT 

11  - SLRT 

11  - SLRT 

All  lose 

All  lose 

11  - SLRT 

All  lose 

All  lose 
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Good 
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Not  caught 
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1 
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4J 
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H.O. 

Dead 

Bias 
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H.O.  (+) 
H.O.  (-) 

Oead 

Dynamic 

Response 

Bias 

25%  S.F. 
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SENSOR 

FLIGHT  CONDITION.  MANEUVER 
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High  q.  Roll 
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TABLE  26.  CONCEPT  111  SIMULATION  EVALUATION 


I 


The  filters  were  originally  operated  with  second  order  high-pass  filters  at  2 rad /sec. 

The  results  from  initial  fault  runs  were  so  poor  that  the  high-pass  frequency  was  moved 
to  1 rad/sec.  This  shift  produced  the  results  shown  in  Table  26,  Failure  to  achieve 
fault  detection  in  many  cases  resulted  from  the  fault  transient  being  high-passed  away 
too  quickly.  The  low  frequency  inputs  into  the  longitudinal  axis,  i,  e, , Phugoid  motion 
and  trim  changes,  preclude  lowering  the  current  high-pass  frequency.  Low  frequency 
lateral-directional  inputs,  spiral  mode  motion  and  control  effectiveness  input  mismatches 
are  less  severe.  This  would  probably  allow  the  frequency  of  the  high-pass  filter  to  be 
lowered. 


Fault  isolation  logic  requires  observation  of  faults  in  various  filters  in  order  to  identify 

the  failed  sensor.  In  practice,  each  filter's  monitor  levels  were  dictated  by  false  alarm 

runs.  This  results  in  some  delay  in  making  the  right  fault  decision.  For  example,  pitch 

rate,  Q , faults  must  show  up  in  two  filters,  filters  III-l  and  III-2.  If  the  fault  is 
m 

detected  in  filter  III-l,  the  first  decision  is  that  n~  has  failed.  If  it  shows  up  first 

m 

in  filter  III-2,  the  is  bad.  The  alternative  of  waiting  for  both  filters  to  respond 
before  a decision  is  made  will  delay  n^^  and  fault  diagnosis.  An  approach  of  letting 
the  isolation  logic  decide  immediately  and  then  switch  if  a change  occurs  was  used. 


SECTION  6 


CONCLUSIONS  AND  RECOMMENDATIONS 


Results  presented  in  Section  5 yield  a number  of  comments  and  recommendations.  These 
will  be  provided  in  two  groups:  specific  technical  observations  and  conclusions  and 
recommendations  for  future  development  through  flight  test. 

6.  1 SPECIFIC  TECHNICAL  OBSERVATIONS  AND  CONCLUSIONS 

6.1.1  Comparisons  of  Concepts  1 and  11 

Euler  Angles  and  Body  Rates--In  general,  the  performance  of  the  two  concepts  was  very 
close.  This  fact  would  favor  Concept  1 because  of  the  implementation  simplicity;  however, 
a number  of  considerations  should  be  examined: 

1.  The  bias  estimators  of  Concept  II  performed  well  in  catching  bias  errors  even 

though  they  were  not  originally  designed  to  be  monitored.  The  yaw  rate,  R , 

m 

bias  estimation  was  the  most  precise  bias  estimate  of  those  designed  because 
of  its  low  gain.  Concept  II's  bias  fault  detection  capability  was  also  excellent. 
Regardless  of  how  long  the  bias  errors  propagate,  the  recovery  impact  and 
total  net  effect  on  the  aircraft  are  minimal. 

2.  Another  choice  for  the  high-pass  time  constant  for  Concept  I would  reduce 
the  autocorrelation  of  error  signals  without  sacrificing  performance.  This 
would  allow  the  use  of  the  sequential  likelihood  ratio  test  monitors  with 
Concept  I filters  (SLRT  does  not  like  correlation). 

3.  Euler  angle  fault  detection  proved  to  be  easy  for  both  concepts.  Concept  II 
performed  better,  based  on  the  strength  of  the  SLRT  monitor  performance. 

n,^,  g,  and  h Filters- -Concept  II  was  the  clear  winner.  Ignoring  wind  gust  correlation 
in  Concept  I produced  high  autocorrelation  and  high  RMS.  The  key  to  the  Concept  II 
success  was  the  gust  estimation.  Also,  as  predicted.  Concept  I missed  the  or^  hardover 
fault. 
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Um  Faults  — Concept  II's  (n^,  a.  h)  filter  proved  surprisingly  good  at  diagnosing  airspeed 

faults.  The  gain-scheduled  lateral-directional  filter  was  expected  to  provide  some 

diagnosis  capability  (and  it  did),  but  the  primary  performance  came  from  (n  , a,  h). 

z 

6.1.2  Monitor  Performance  Comparisons 

The  two  monitors  used  were  the  multiple-trip-level  exceedance  (with  and  without  sensor 
scheduling)  versus  the  sequential  likelihood  ratio  test  (SLRT),  This  idea  is  a compu- 
tationally simplified  version  of  one  used  previously  (Reference  8).  The  SLRT  monitor 
performed  well.  The  monitor  demonstrated  adeptness  at  catching  hardover  faults  quickly, 
plus  detecting  other  faults  (particularly  scale  factor  changes)  that  escaped  the  multiple 
trip  monitor. 

More  understanding  of  how  this  monitor  works  is  needed  because  setting  the  necessary 
parameters  for  false  alarm  requirements  is  difficult. 

6.1.3  SLRT  of  Likelihood  Function  Difference 

As  originally  discussed  in  Section  2,  the  decision  as  to  which  sensor  family  (determined 
by  the  diagnostic  filters)  contained  the  faulty  output  was  to  be  performed  on  a relative 
performance  basis,  i.  e. , which  set  of  sensors  performed  the  best  when  the  comparison 
monitor  declared  a failure.  The  SLRT  monitor  used  here  provides  a more  formal  way 
of  isolating  the  failed  sensor.  Expansion  to  and  riy^  fault  isolation  should  be  made. 

6.1.4  Lateral  Accelerometer  Fault  Detection 

As  expected,  ny^  faults  were  difficult  to  diagnose.  The  inclusion  of  a completely  gain- 
scheduled  third-order  filter  perhaps  is  not  justified  considering  the  return.  The  filter 
did  supply  some  other  benefits: 

• Good  fault  detection  of  body  rate  signals,  P_  and  R_,  was  observed. 

mm 

• bisis  faults  were  detected  (although  eventual  flight  tests  may  have  to  include 
low  frequency  high-pass  filters  to  wash-out  modeling  errors). 

• Some  detection  capability  for  airspeed  faults  was  observed. 


137 


The  need  for  this  type  of  filter  goes  beyond  the  current  application.  State  reconstruction 
for  control  law  modification  is  an  issue  discussed  but  not  addressed  in  the  current  study. 


It  has  been  demonstrated  that  this  filter  can  perform  well  with  reduced  sets  of  measure- 

* ments.  For  example,  if  the  loss  of  an  inner-loop  signal,  i.  e. , n,,  , P , or  R , 

I y m m m 

, occurs,  this  filter  could  be  used  to  reconstruct  the  missing  output. 

r 

The  key  issue  (and  the  major  reason  why  this  was  not  addressed  in  the  current  study) 
is  performance.  It  is  likely  that  the  performance  required  by  the  primary  flight  control 
system  will  not  be  obtained.  Reconstruction,  however,  could  supply  a fail-sub-operational 
capability,  a level  of  performance  which  would  be  a reversion  mode  that  could  be  used 
before  fail-safe  is  necessary. 

6.1.5  Sample  Rate  and  Fault  Detection 

The  desire  to  operate  at  a low  sample  rate  is  strong  due  to  a lack  of  computer  core  and  j 

j time.  Also,  the  longer  the  algorithms  take  to  make  a decision  the  better  they  will  | 

j perform.  The  key  issues  are  fault  detection  algorithms  and  flight  control  performance, 

j Two  modifications  to  the  concepts  studied  provide  the  justification  for  retaining  the  0.05 

I sec  sample  time.  , 

i 

, Sensor  Consistency  Check — A simple  check  of  sensor  consistency  from  sample  to  sample 

^ gives  the  fault  detection  algorithms  valuable  time  to  make  decisions,  particularly  during 

j hardover  failures.  It  is  recommended  that  this  sort  of  check  be  applied  at  the  flight 

control  sample  rates  to  ensure  that  sensor  hardover  failures  do  not  enter  into  the  control 
, law.  This  scheme  could  also  be  modified  to  provide  a recovery  mode  capability.  The 

one  used  in  this  study  is  not  being  recommended  as  a usable  recovery  process. 

I 

I : 

Roll  Monitor  Uplogic--The  use  of  uplogic  for  certain  monitors  scheduled  on  roll  command  li 

effectively  solved  a difficult  problem.  Use  of  a different  Kalman  filter  integration  scheme  | 

is  recommended;  a trapezoid  integration  scheme  will  reduce  the  effect  of  high  roll  rates  | 

and  will  provide  quicker  fault  propagation  into  the  detection  scheme  for  certain  sensors.  : 

i 

Simulation  results  verified  that  the  roll  monitor  uplogic  does  not  compromise  fault  t 

detection  during  maneuvers.  j 


6.1.6  Concept  III  Conclusions 


Concept  III  results  were  less  encouraging  than  results  from  Concepts  I and  II.  Detecting 
and  isolating  faults  produced  marginal  success.  Hardover  fault  detection  posed  the 
fewest  problems.  Referring  to  the  concept  selection  discussions  in  Section  2,  the 
Concept  III  filters  would  have  to  be  augniented  with  specific  algorithms  hypothesizing 
various  faults.  Either  multiple  hypothesis  Kalman  filters  (Reference  12)  must  be 
installed  (with  associated  extra  filtering)  or  signature  tests  for  specific  faults  (Reference 
19),  also  computationally  expensive,  must  be  explored. 

6.  2 RECOMMENDATIONS  FOR  FLIGHT  TEST 


Results  from  the  evaluation  of  Concepts  I and  II  and  fail-op  monitor  selection  evaluation 
were  encouraging.  The  following  recommendations  can  be  made: 


1.  Euler  Angle-Body  Rate  Filters 

• Either  Concept  I body  rate  observer/blenders  can  be  used  with  slight 
modification  to  run  with  SLRT,  or 

• Concept  II  Euler  angle  Kalman  filters  operating  with  bias  estimation 
(scale  factor  estimation  should  be  dropped)  can  also  be  used  with  monitors 
on  bias  estimates  to  diagnose  bias  faults. 

2.  Altitude.  Normal  Acceleration,  and  Angle-of-Attack — The  Concept  II  filter 
includes  gust  estimation  and  demonstrated  superior  performance  over  the 
Concept  I equivalent.  This  should  be  used  in  flight  test  experiments.  This 
filter  will  also  diagnose  airspeed  faults. 


3.  Lateral  Acceleration--The  gain-scheduled  Kalman  filter  for  n^,  P,  and  R 
measurement  fault  detection  should  be  retained.  In  addition  to  ny^  errors, 
this  filter  has  growth  potential  into  state  reconstruction  experiments. 


4.  Monitors 

• Fail  Operational — Dual  sensor  sets  (n„  , n,  , P , Q , R , and  a ) 

• - jtn  m m m m m 

should  retain  current  comparison  monitors.  A sequential  likelihood  ratio 
test  of  the  mean  value  of  the  difference  of  likelihood  functions  should  be 
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used  to  compare  error  signals  from  parallel  analytical  redundancy  schemes 
operating  with  dual  computers.  This  scheme  as  outlined  in  Section  2 offers 
high  promise  of  providing  a fail-op  capability  in  lieu  of  the  third  set  of 
, redundant  sensors  which  is  currently  needed. 

I 

j • Fail-Safe- -The  sequential  likelihood  ratio  test  of  residual  mean  value 

demonstrated  superior  performance  over  multiple  trip  monitors.  This 
monitor  should  be  investigated  further  in  flight  tests. 

Cost-effectiveness  analysis  of  the  three  concepts  is  discussed  in  Appendix  A.  The 
• proposed  flight  test  concept  (with  additional  monitor  logic  for  roll  inputs  and  q changes 

plus  sensor  consistency  checks)  will  use  about  the  same  computer  requirements  as 
Concept  II.  Additional  consideration  should  be  given  to  retaining  multiple  trip  monitors 
for  experimental  comparisons  with  the  SLRT  monitors  in  flight  test. 

A subset  of  the  Concept  HI  longitudinal  axis  filter,  i.  e. . one  filter  with  multiple  gain 
sets,  could  also  be  flight  tested  at  minimum  expense,  allowing  investigation  of  gain- 
scheduled  pitch  axis  filters  for  fault  detection  and  state  reconstruction. 
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COST-EFFECTIVENESS  ANALYSIS 


The  cost-effectiveness  of  analytical  redundancy  techniques  to  detect  and  isolate  faults 
depends  to  a great  extent  upon  how  much  computational  space  is  available  in  the  on-board 
computers.  Designing  detection  schemes  which  are  both  effective  and  computationally 
cheap  has  been  an  underlying  goal  throughout  this  study. 

The  residual  core  of  the  HDC  301  is  typical  of  the  space  available  for  current  on-board 
processors  for  this  type  of  application. 

Computer  sizing  results  for  the  three  concepts  investigated  are  shown  in  Table  A.  1. 
Concepts  I and  II  easily  fit  into  an  HDC  301  processor  on  board  the  A-7D.  Concept  III 
barely  meets  the  computer  capability  available,  but  simulation  adjustments  not  taken 
into  account  here  will  make  this  application  difficult. 

Replaceable  redundant  sensors  are  shown  in  Table  A.  2 along  with  cost  data.  Projected 

cost  savings  due  to  analytical  redundancy  are  shown  in  Table  A.  3.  The  design  philosophy 

taken  in  this  study  is  not  to  replace  these  sensors  but  to  view  the  cost  savings  as  the 

price  one  pays  to  add  a triple  redundant  set  of  mission  critical  sensors,  i.  e. , P , Q , 

mm 

R , n-  , and  n„  (subcritical). 
m m jm 

Sensor  reduction  is  not  possible  in  all  cases  due  to  the  existence  of  non-redundant  outputs, 

e.  g. , U , of_,  h , 0 , e , or  * , for  the  A-7D.  Analytical  redundancy  provides  a 
m m m m m m 

higher  level  of  fail-safe  reliability  for  these  sensors. 
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TABLE  A.  1.  CONCEPT  COMPUTER  COST  COMPARISON 


Requirements 

Total 

Concept 

Algorithm 

Equivalent  Adds 

Memory  ( Words) 

Notes 

I 

Overhead 

98 

52 

1 Uses  multiple 

P 

51 

76 

trip  criteria 
monitor. 

Q 

69 

88 

R 

61 

76 

ot 

115 

110 

h 

77 

M 

Totals* 

471 

486 

II 

Overhead 

81 

77 

Uses  sequential 

0 

121“^ 

1 

1 

123*^ 

1 

likelihood  ratio 
test. 

6 

93 

j 

^327 

115 

1 

^ 316  ' 

(Euler  angle 

Y 

113 

I 

78 

I 

schemes  are 

i 

h.or.n^ 

✓ 

180 

112 

check  combined 
for  comparison 

n , P,  R 

436 

324 

with  quaternion 

y 

Totals* 

1024 

829 

scheme  below. ) 

III 

Overhead 

1 

81 

77 

Uses  sequential 

n^.or.Q 

457 

560 

likelihood  ratio 
test. 

Hy,  P,R.  0> 

Q (Concept  II) 

971 

111 

93 

115 

Totals* 

1602 

1479 

Quater- 

Total 

775 

631 

Compare  with 

nion 

0,  0,  T of 
Concept  II. 

*At  an  iteration  rate  of  20  per  second,  the  remaining  capacity  of  the  A-7DHDC301  j 

computer  is  approximately  3500  adds  at  5 psec/add  and  1500  words.  j 
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TABLE  A.  2.  A-7D  SENSOR  COST  DATA 


SENSOR 

WT 

(lbs) 

POWER 

RQMT 

(watts) 

TYPICAL 

COST 

($) 

Normal  Accelerometer 
(Bourns  Inc. ) 

0.75 

1 

500 

Lateral  Accelerometer 
(Bourns  Inc. ) 

1.0 

1 

500 

Pitch  & Yaw  Rate  Gyro 

0.5 

3.5 

600 

(Lear-Seigler) 

(each) 

(each) 

(each) 

Roll  Rate  Gyro 
(Lear-Seigler) 

0.5 

3.5 

600 

Inertial  Measurement 

Unit  (ASN-50) 

20 

Unknown 

U nknown 

Air  Data  Computer-h, 
TAS  (Air  Research) 

17 

Unknown 

Unknown 

TABLE  A,  3,  COST-EFFECTIVENESS  ANALYSIS 


B 

Concepts 

Comparison 

Kaseline 

System 

Analytical  Kedundancy  Concepts 

1 

I'aciors 

Concept  1 

Concept  11 

Concept  III 

1 

Computer 
l.oad  (70  KOPS 
Available) 

10.6  KOPS 

10  KOPS 

22  KOPS 

35  KOPS 

2 

Memory  < Words) 

( 1500  Available) 

481 

471 

829 

1479 

3 

Sensor' 

Heduciion 

3 Rale  Gyros 

I Normal 

Acceleration 

3 Kale  Gyro.s 

1 Normal 

Acceleration 

1 Lateral 

Acceleration 

3 Rale  Gyros 

1 Normal 

Acceleration 

1 Lateral 

Acceleration 

B 

Weight 

Keduction  (lbs) 

2.25 

3.25 

3.25 

5 

Power 

Heduction  (watts) 

U.5 

12.5 

12.5 

6 

Hardware  Cost 
Heduct  ion 

$2,300 

$2,800 

$2,800 

♦ Heduclion  assumes  only  one  an|;le>of -attack  indicator  ( i.e. , A-7DX  In  cases  where  two  exist,  one  could 
be  eliminated, 
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APPENDIX  B 


SIMULATION  DESCRIPTION 


B.l  INTRODUCTION 

A six-degree-of-freedom  real-time  simulation  of  the  A-7D  aircraft  and  control  system 
was  implemented  on  a PACER  700  hybrid  computing  system.  The  PACER  system  is 
comprised  of  a digital  computer  (16K  memory,  32-bit  word)  with  teletype,  card  reader, 
line  printer  and  moving  head  disk,  two  parallel  analog  processors,  and  an  interface 
providing  data  exchange  capabilities  between  analog  and  digital.  Additional  data  channels 
allow  interfacing  with  external  processors  such  as  the  Sigma  5 hybrid  computing  system. 
Figure  B.  1 provides  a functional  block  diagram  of  how  the  PACER  700  is  integrated 
with  the  Sigma  5. 


Figure  B.  1.  PACER  700  Computing  System  Interfaced  with  SIGMA  5 
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The  real-time  aircraft  was  implemented  on  the  hybrid  computer  in  a way  that  best  utilized 
the  high-speed  characteristics  of  an  analog  and  the  accuracy  and  data  storage  capability 
of  a digital  computer.  An  all-digital  aircraft  simulation  would  require  a sample  rate  of 
less  than  10  cycles /second  to  process  data  in  a real  time  frame,  while  an  all-analog 
simulation  is  inherently  less  accurate  and  more  cumbersome  to  initialize.  By  program- 
ming the  higher  frequency  components  of  the  equations  of  motion  on  the  analog  and  using 
the  digital  subsystem  for  lower  frequency  computations,  an  accurate  real-time  simulation 
with  a digital  sample  rate  of  20  cycles /second  was  achieved.  Figure  B.  2 is  a block 
diagram  of  the  A-7D  simulation  showing  the  digital /analog  partitioning. 

B.  2 HYBRID  IMPLEMENTATION 

The  digital  computer,  programmed  with  Fortran,  is  used  to  store  aerodynamic  data 
tables,  provide  function  table  look-ups  of  the  aerodynamic  coefficients,  and  process  low- 
frequency  aircraft  dynamics.  It  computes  earth  axis  aircraft  velocities  (X,  Y,  h)  and 
integrates  to  position  (X,  Y,  h).  Euler  angles  (0,  0,  i|i)  are  computed  via  quaternion 
integration.  Other  computed  parameters  are  flight  path  and  heading  angles  (y,  x). 

Digital  routines  are  also  used  to  provide  data  input/output  capabilities,  initialize  the 
simulation,  compute  initial  trim  conditions,  and  provide  master  control  over  the  entire 
simulation.  A subroutine  which  inputs  programmed  maneuvers  to  the  control  system 
was  added  before  making  final  production  runs  to  ensure  consistency  between  runs. 

The  analog  subsystem  computes  ail  aerodynamic  forces  and  moments  and  evaluates  the 
equations  of  motion  for  u,  v,  w,  p,  q,  and  r.  Analog  integration  of  these  accelrations 
provides  the  corresponding  translational  and  rotational  velocities.  Other  aircraft  para- 
meters, angle-of-attack,  sideslip  angle,  attack-of-angle  rate,  and  total  velocity  (or,  g,  i, 
V,j,)  are  computed  on  the  analog  computer.  An  analog  control  system  provides  basic 
rate  and  acceleration  feedbacks  to  the  actuators.  Models  of  the  pilot  stick  dynamics 
are  also  implemented  in  the  pitch  and  roll  axes.  Block  diagrams  of  the  control  system 
are  shown  in  Figures  B.  3,  B.  4,  and  B.  5. 

B.  3 PROGRAM  CONTROL 

The  PACER  100  digital  computer  provides  master  control  of  the  entire  simulation. 

Figure  B.  6 shows  how  the  digital  control  ties  all  pieces  of  the  simulation  together.  By 
selecting  sense  switches  on  the  computer  consoles,  the  operator  can  start  and  stop  the 
simulation,  request  new  runs  at  the  previous  flight  condition  (RERUN),  or  change  data 
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Figure  B.  2.  A-7D  Hybrid  Simulation  Block  Diagram 


Figure  B.  4,  Roll  Axis  Control  Laws  for  A-7D  Aircraft  Simulation 


Figure  B.  5.  Yaw  Axis  Control  Laws  for  A-7D  Aircraft  Simulation 


r 


for  new  runs  (REINIT).  An  option  for  stopping  and  continuing  the  same  run  is  also 
provided  (HOLD).  The  controller  responds  to  the  operator  commands  by  switching  the 
analog  into  "PS"  (pot  set),  "IC"  (initial  condition).  "H"  (hold),  or  "OP"  (operate),  and 
then  branches  to  appropriate  digital  routines. 

During  initialization,  the  aerodynamic  data  tables  are  stored  in  memory  and  program 
constants  are  set.  At  this  point  new  data  can  be  entered  through  the  console  teletype; 
the  minimum  data  for  the  first  run  require  an  initial  altitude,  velocity,  and  maximum 
run  time.  Communication  within  the  system  is  accomplished  through  a single  array 
which  is  common  to  all  subroutines  including  the  input  and  output  routines.  An  iterative 
. trim  routine  is  used  to  set  initial  conditions  on  angle-of-attack,  elevator  position,  and 

thrust. 

^ Once  the  operate  mode  is  entered,  a computer  cycle  consists  of  momentarily  "freezing" 

' the  A/D  channels  (not  the  analog)  while  data  conversion  is  performed,  followed  by 

I processing  the  digital  equations  of  motion.  Simulation  time  is  updated  and  tests  for 

run  termination  are  performed.  These  computations  require  approximately  35  to  40 
milliseconds.  The  computer  is  then  cycled  through  a tight  loop  while  waiting  for  a pulse 
from  the  real-time  clock  (every  50  msec),  thus  establishing  real-time  digital  processing. 
The  analog,  of  course,  processes  continuously  during  each  and  every  digital  cycle. 
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APPENDIX  C 


SENSOR  FAULT  DETECTION  WITH  QUATERNIONS 

Euler  angles  (0,  6,  ♦)  and  body  rates  (P,  Q,  R)  have  well-defined  relationships  (see 
Equations  (7)  through  (12)).  The  foregoing  development  uses  quaternions  to  employ 
another  set  of  relationships  which  offer  some  advantages  over  the  standard  equations. 

C.  1 ATTITUDE  ESTIMATION  AND  FAULT 
DETECTION  WITH  QUATERNIONS 

The  use  of  generalized  coordinates  or  quaternions  for  solving  Euler  angle  rotations  offers 
an  alternate  approach  to  construction  of  a Kalman  filter  innovations  process.  This  pro- 
vides an  alternate  approach  for  detecting  faults  in  body  angular  rates  and  Euler  angles. 

Using  definitions  and  (for  the  most  part)  development  of  Deyst  and  Deckert  (Reference  37) 
and  defining  an  attitude  quaternion  which  rotates  a vector  from  Reference  Frame  1 to  2 
as  q^,  the  following  relationships  can  be  observed: 


112 
^3  ' ^2  ‘’3 

(Cl) 

1 1 2 * 

(C2) 

2 _ / 1,*  1 
^3  ~ ^2^ 

(C3) 

(*  implies  conjugate) 


The  error  between  the  estimated  body  frame,  B,  and  the  actual  body  frame,  B,  can  be 
written  as 

where  "l"  is  the  inertial  reference  frame. 


If  the  estimated  body  frame  is  close  to  the  real  body  frame,  then  the  estimation  error 
quaternion  is 


^b'  ®b'  ’^b  small  rotation  angles  from  the  estimated  body  frame  to  the  actual 
body  frame 

The  error  angles  propagate  according  to 

where 

e is  the  body  axis  rotational  velocity  error 
—w 

AT  is  the  time  increment 

t,  is  the  current  time 
k 

For  our  purposes,  we  can  assume  e^is  the  noise  term  in  the  body  rate  gyros,  i.  e. , 

e ~ N(0.  Q ) white  (C8) 

— u)  e — ' 


is  a three-state  vector 


where 


In  order  to  properly  construct  a Kalman  filter,  it  is  necessary  to  provide  additional 
quaternions  for  the  filter  to  operate  on.  One  is 


B 

where 

B is  the  estimated  body  frame  before  measurement  update 
B is  the  measured  body  frame 


This  can  be  obtained  by  performing  the  following  quaternion  multiplication: 

“I  ■ <4>*  4 

q~  is  available  from  the  measuring  device  (attitude  reference  system  or  inertial  measure- 
ment unit),  qgis  properly  derived  by  integrating  the  upgraded  previous  quaternion,  q^, 
where  6 is  the  updated  body  estimate,  i.  e. , newest  measurement  incorporated.  This  can 
be  accomplished  by  examining  the  quaternion  differential  equation.  In  continuous  time 


i 

L 
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X = AX 


X is  a four-state  vector  composed  of  elements  of  i.  e. , 
— B 


‘’b  ■ N)  '*■  ^2  ^3 


where 

i , j , k are  unit  basis  elements 
This  is  equivalent  to 


A = -i 
^ 2 


O'  ^1'  ^ 

2’  ^3^ 

(C12) 

O P 

Q 

R 

-P  o 

-R 

Q 

(C13) 

-Q  R 

O 

-P 

-R  -Q 

P 

O 

AiTA  r ic^  , , r cj 

■i=0  (2i)J  j=0(2j  + l)! 


where 


c = -i(P^  +Q^ 
t^  = time  at  the  n^*'  sample 


This  demonstrates  the  fairly  easy  way  one  can  expand  e into  a sufficiently  large 
number  of  terms  by  expanding  two  scalar  power  series.  The  result  is  that  the  prediction 
step  can  be  carried  out  simply: 


I I 

This  results  in  q=  (t  , , ) from  q * (t  ) to  complete  the  iteration 
o n+i  D n 

1 I B 

qg  ' Qb 

B B B 

where  q!g  is  calculated  with  a Kalman  filter  applied  to  qg.  qg  can  be  written 

B t t ^ 


(C16) 


(C17) 


(C18) 
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where 


^ *b^ 


(C19) 


Equation  (C7)  allows  the  filtering  problem  to  be  handled  completely  decoupled,  i.  e. , three 
first-order  filters.  Defining  the  measurement  error  covariance 


= 

s n 


0 n 

e n 

0 0 


the  error  covariance  (before  measurement) 


s n 


M (t  ) 0 0 

0 n 

0 MJt  ) 0 

6 n 

0 0 MJt  ) 

♦ '^1 


and  the  error  covariance  (after  measurement) 


0 n 


Ps<‘n>  = 0 P6<‘n>  0 

0 0 P^(t„> 


the  quantity  q*  becomes  (Reference  37) 


"I  ■ > - 


(C20) 


(C21) 


(C22) 


(C23) 


C.  2 SIGNIFICANCE  OF  FORMULATION 

The  above  representation  has  a number  of  features  which  make  it  inviting  for  analytical 
redundancy: 

• It  has  a computationally  simple  filter  although  it  has  a higher  order  filter 
than  a design  based  on  standard  relationships. 
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APPENDIX  D 


SIMULATION  STRIP  CHARTS 


This  appendix  contains  a set  of  outputs  in  strip  chart  form  for  the  fault  runs  on  each  of 
the  three  concepts.  The  strip  charts  show  the  following: 

• Flight  Condition 


1 =>  h = 1000  ft.  = 335.  1 fps  (low  q) 

2 =»  h = 15000  ft,  V^g  = 750  fps  (medium  q) 

3 =»  h = 2000  ft.  V^g  = 1005  fps  (high  q) 

Maneuver-  - Pilot  commands  for  either  pitch  or  roll  maneuvers. 

Failed  Sensor--Either  accelerometers  (n_,  n ),  rate  gyros  (p,  q,  r),  attitude 

z y 

sensors  (fi,  9,  a),  airspeed  indicator  (V^g),  or  altimeter  (h). 

Failure  Types 

+ H.  O.  o Hardover- -output  is  maximum  reading  for  a given  sensor. 

D =»  Dead  sensor — output  is  zero.  ~ — 

B « Bias  error--output  has  a ramp  bias. 

S.  F.  -L  « Low  scale  factor  error--output  equals  0.  75  actual. 

S.  F.  -H  =»  High  scale  factor  error--output  equals  0.  5 actual. 

D.  R.  =»  Dynamic  response--aU  signals  low  pass  filtered  at  1.0  rad/sec. 


Table  D.  1 defines  some  special  nomenclature  used  in  labeling  Figures  D.  1 through  D.  156. 
Tables  D.  2,  D.  3,  and  D.  4 provide  figure  information  concerning  concept  tested,  maneuver, 
and  fault  inserted. 
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TABLE  D.  1 STRIP  CHART  LABELS 


Strip  Chart  Label 

Parameter 

Definition 

NZ 

n 

z 

Normal  Acceleration  (actual) 

NZM 

”2 

Normal  Acceleration  (sensor  reading) 

Q 

Q 

Pitch  Rate  (actual) 

QM 

Q 

m 

Pitch  Rate  (sensor  reading) 

THETA 

e 

Euler  Pitch  Angle  (actual) 

THETAM 

®m 

Euler  Pitch  Angle  (sensor  reading) 

ALPHA 

a 

Angle-of-Attack  (actual) 

ALPHAM 

V 

Angle-of-Attack  (sensor  reading) 

H 

H 

Altitude  (actual) 

HM 

H 

m 

Altitude  (censor  reading) 

P 

p 

Roll  Rate  (actual) 

PM 

P 

m 

Roll  Rate  (sensor  reading) 

PHI 

<b 

Euler  Roll  Angle  (actual) 

PHIM 

<t> 

m 

Euler  Roll  Angle  (sensor  reading) 

R 

R 

Yaw  Rate  (actual) 

RM 

R 

m 

Yaw  Rate  (sensor  reading) 

PSI 

♦ 

Euler  Yaw  Angle  (actual) 

PSIM 

♦m 

Euler  Yaw  Angle  (sensor  reading) 

U 

U 

Velocity  along  X-axis  (actual) 

UM 

u 

m 

Velocity  along  X-axis  (sensor  reading) 

VP 

V > 

p 

VQ 

> 

V 

Residual  Cut{>uts  frcm  AR  Ccmfiutatlcuna 

VR 

\ 

"r  j 

etc.  ^ 
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TABLE  D.  2 STRIP  CHART  RUN  LEGEND- -CONCEPT  I 


AR  Test 
Concept 


Flight 

Condition 


Maneuver 

Failed 

Sensor 

Failure  1 

Type 

NONE 

n 

H.O. 

z 

NONE 

n 

D 

z 

PITCH 

n 

D 

z 

PITCH 

n 

z 

D.  R. 

NONE 

n 

B 

z 

PITCH 

n 

S.F. 

z 

NONE 

q 

+H.  O. 

PITCH 

q 

D 

NONE 

q 

B 

PITCH 

q 

S,  F.  -L 

PITCH 

q 

S.F.  -L 

PITCH 

q 

S.  F.  -H 

NONE 

0 

+H.O. 

NONE 

0 

D 

NONE 

0 

B 

PITCH 

0 

S.F.-L 

NONE 

0 

S.F. -H 

NONE 

a 

+H.O. 

PITCH 

a 

D 

NONE 

a 

B 

PITCH 

a 

S.F.-L 

PITCH 

a 

S.F.-H 

NONE 

h 

-H.  O. 

NONE 

h 

B 

ROLL 

P 

+H.O. 

ROLL 

P 

-H.O. 

ROLL 

P 

D 

NONE 

P 

B 

ROLL 

P 

S.F.-L 

ROLL 

P 

S.  F.  -H  1 

Figure 

Number 


D.  1 
D.  2 
D.  3 
D.4 
D.  5 
D.  6 
D.  7 
D.  8 
D.  9 
D.  10 
D.  11 
D.  12 
D.  13 
D.  14 
D.  15 
D.  16 
D.17 
D.  18 
D.  19 
D.20 
D.  21 
D.  22 
D.23 
D.  24 
D.  25 
D.26 
D.27 
D.  28 
D.  29 
D.  30 


H.O.  = Hardover,  D = Dead,  D.  R.  = Dynamic  Response,  B = Bias,  S.  F.  * Scale  Factor, 
L = 25%  S.  F. , H * 50%  S.  F. 
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TABLE  D.  2 STRIP  CHART  RUN  LEGEND- -CONCEPT  I (concluded) 


Figure 

Number 

AR  Test 
Concept 

Flight 

Condition 

Maneuver 

Failed 

Sensor 

Failure 

Type* 

D.  31 

1 

2 

ROLL 

d 

+H.O. 

D.32 

1 

2 

ROLL 

<t> 

D 

D.33 

1 

2 

NONE 

d 

B 

D.34 

1 

2 

ROLL 

d 

S.F.-L 

D.  35 

1 

2 

ROLL 

d 

S.  F. -H 

D.36 

1 

2 

NONE 

r 

+H.O. 

D.  37 

1 

2 

ROLL 

r 

D 

D.  38 

1 

2 

NONE 

r 

B 

D.  39 

1 

2 

ROLL 

r 

S.  F,-L 

D.  40 

1 

2 

ROLL 

r 

S.  F,  -H 

D.41 

1 

2 

NONE 

(I 

+H.O. 

D.  42 

1 

2 

ROLL 

D 

D.  43 

1 

2 

NONE 

tr 

B 

D.  44 

1 

2 

ROLL 

♦ 

S.F, -L 

D.45 

1 

2 

ROLL 

♦ 

S,  F.  -H 

*H.O.  = Hardover,  D = Dead,  D.  R.  = Dynamic  Response,  B = Bias,  S.  F.  = Scale  Factor, 
L = 25%  S.  F. , H = 50%  S.  F. 
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TABLE  D.  3 STRIP  CHART  RUN  LEGEND- -CONCEPT  II 


i 

,1 


Figure 

Number 

AR  Test 
Concept 

Flight 

Condition 

Maneuver 

Failed 

Sensor 

Failure 

Type’!' 

D.  46 

2 

3 

NONE 

n 

z 

+H.  O. 

D.  47 

2 

3 

NONE 

n 

z 

-H.O. 

D.48 

2 

3 

PITCH 

n 

z 

D 

D.49 

2 

3 

NONE 

n 

z 

D.  R. 

D.50 

2 

3 

PITCH 

n 

z 

D.  R. 

D.  51 

2 

2 

NONE 

n 

z 

B 

D.  52 

2 

2 

PITCH 

n 

z 

S.F.  -L 

D.  53 

2 

2 

PITCH 

n 

z 

S.F. -H 

D.  54 

2 

2 

PITCH 

n 

z 

S.  F.  -H 

D.  55 

2 

2 

NONE 

q 

+H.  O. 

D.56 

2 

2 

NONE 

q 

-H.O. 

D.  57 

2 

2 

NONE 

q 

D 

D.  58 

2 

2 

PITCH 

q 

D 

D.  59 

2 

2 

PITCH 

q 

D 

D.  60 

2 

2 

NONE 

q 

B 

D.  61 

2 

2 

NONE 

q 

S.  F.  -L 

D.  62 

2 

2 

PITCH 

q 

S.F.-H 

D.  63 

2 

2 

PITCH 

q 

S.F.-L 

D.  64 

2 1 

1 

2 

NONE 

e 

+H.O. 

D.  65 

2 

2 

PITCH 

e 

D 

D.  66 

2 

2 

NONE 

e 

B 

D.  67 

2 

2 ' 

PITCH 

e 

S.F.-L 

D.  68 

2 

2 

PITCH 

e 

S.F.-H 

D.  69 

2 

1 

NONE 

a 

+H.O. 

D.  70 

2 

1 

NONE 

a 

-H.O. 

D.  71 

2 

1 

NONE 

a 

D 

D.72 

2 

1 

NONE 

a 

B 

D.73 

2 

1 

PITCH 

a 

S.F.-L 

D.74 

2 

1 

PITCH 

a 

S.F.  -H 

D.  75 

2 

1 ! 

NONE 

h 

-H.O. 

H.O.  = Hardover.  D ==  Dead,  D.R.  = Dynamic  Response,  B = Bias,  S.F.  = Scale  Factor, 
L = 25%  S.  F. , H = 50%  S.  F. 
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TABLE  D.3  STRIP  CHART  RUN  LEGEND- -CONCEPT  II  continued 


Figure 

AR  Test 

Number 

Concept 

D.  76 

2 

D.  77 

2 

D.  78 

2 

D.  79 

2 

D.  80 

2 

D.  81 

2 

D.  82 

2 

D.  83 

2 

D.  84 

2 

D.  85 

2 

D.  86 

2 

D.  87 

2 

D.  88 

2 

D.  89 

2 

D.  90 

2 

D.  91 

2 

D.  92 

2 

D.93 

2 

D.  94 

2 

D.  95 

2 

D.  96 

2 

D.  97 

2 

D.98 

2 

D.  99 

2 

Flight 

Condition 


Maneuver 


NONE 

NONE 

NONE 

NONE 

NONE 

NONE 

ROLL 

ROLL 

ROLL 

NONE 

ROLL 

ROLL 

NONE 

ROLL 

ROLL 

ROLL 

NONE 

ROLL 

ROLL 

ROLL 

ROLL 

ROLL 

ROLL 

ROLL 


Failed 

Sensor 


Failure 

Type* 


B 

D 

+H,0. 

+H,0. 

-H,0. 

D 

+H,0. 

-H.O. 

D 

B 

S.F.-L 
S.  F,  -H 
+H.O. 
+H.O. 
-H.O. 

D 

B 

S.F.  -L 
S.  F.  -H 
+H.  O. 
-H.O. 
+H.O. 
-H.O. 

D 


H.O.  = Hardover,  D = Dead,  D. R.  = Dynamic  Response,  B = Bias,  S.F.  = Scale  Factor 
L = 25%  S.  F. , H = 50%  S.  F. 


TABLE  D.  3 STRIP  CHART  RUN  LEGEND- -CONCEPT  II  (concluded) 


Figure 

Number 

AR  Test 
Concept 

Flight 

Condition 

Maneuver 

Failed 

Sensor 

Failure 

Type'!" 

D.  100 

2 

2 

ROLL 

r 

D 

D.  101 

2 

2 

NONE 

r 

B 

D.  102 

2 

2 

ROLL 

r 

S.  F.  -L 

D.  103 

2 

2 

ROLL 

r 

S.  F.-H 

D.  104 

2 

2 

ROLL 

♦ 

+H.O. 

D.  105 

2 

2 

ROLL 

♦ 

-H.O. 

D.  106 

2 

2 

ROLL 

D 

D.  107 

2 

2 

ROLL 

♦ 

D 

D.  108 

2 

2 

NONE 

♦ 

B 

D.  109 

2 

2 

ROLL 

♦ 

S.F. -L 

D.  110 

2 

3 

ROLL 

n 

y 

-H.  O, 

D.  Ill 

2 

3 

ROLL 

n 

y 

+H.O, 

D.  112 

2 

3 

ROLL 

n 

y 

D 

D.  113 

2 

3 

NONE 

n 

y 

B 

D.114 

2 

3 

ROLL 

n 

y 

S.  F. -L 

D.115 

2 

3 

ROLL 

n 

y 

D.116 

2 

3 

ROLL 

n 

y 

*H.  O.  = Hardover,  D = Dead,  D.  R.  = Dynamic  Response,  B = Bias,  S.  F.  = Scale  Factor, 
L = 257o  S.  F. , H = 50%  S.  F. 

1 , 


•J-  \ 
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TABLE  D.4  STRIP  CHART  LEGEND- -CONCEPT  III 


Figure 

Number 

AR  Test 
Concept 

Flight 

Condition 

Maneuver 

Failed 

Sensor 

Failure 

Type* 

D.  117 

3 

3 

NONE 

n 

2 

+H.O, 

D.  118 

3 

3 

PITCH 

n 

2 

D 

D.119 

3 

3 

PITCH 

n 

2 

D 

D.  120 

3 

3 

PITCH 

n 

2 

D 

D.  121 

3 

3 

PITCH 

n 

2 

D 

D.122 

3 

3 

PITCH 

n 

2 

D.R, 

D.  123 

3 

3 

PITCH 

n 

2 

S.F. -L 

D.  124 

3 

3 

PITCH 

n 

2 

S.  F.  -H 

D.  125 

3 

2 

NONE 

q 

+H.O, 

D,  126 

3 

2 

PITCH 

q 

D 

D.  127 

3 

2 

PITCH 

q 

D 

D.  128 

3 

2 

PITCH 

q 

D 

D.129 

3 

2 

PITCH 

q 

D 

D.  130 

3 

2 

PITCH 

q 

S.  F.  -L 

D.  131 

3 

2 

PITCH 

q 

S.F. -H 

D.  132 

3 

1 

PITCH 

a 

+H.O. 

D.133 

3 

1 

NONE 

a 

D 

D.134 

3 

1 

NONE 

a 

S.F.-L 

D.135 

3 

2 

ROLL 

P 

+H.O. 

D.136 

3 

2 

ROLL 

P 

D 

D.  137 

3 

2 

ROLL 

P 

-H.O. 

D.  138 

3 

2 

ROLL 

P 

S.  F.  -L 

H.  O.  = Hardover,  D = Dead,  D.  R,  = Dynamic  Response,  B = Bias,  S.  F.  = Scale  Factor, 
L = 25%  S.  F. , H = 50%  S,  F. 
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Figure  D.  9 
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APPENDIX  E 


PROGRAM  DOCUMENTATION 


This  appendix  contains  the  routines  used  for  the  sensor  fault  evaluations  examined  in  this 
study. 


E.  1 MAINLINE  CALLING  SEQUENCE 


The  implementation  of  the  analytical  redundancy  schemes  is  made  through  a series  of 
calls  to  modularized  subroutines.  The  sequence  of  call  statements  for  each  concept  is 
given  in  the  subsections  that  follow. 


E.  1.1  Concept  I Calling  Sequence 


C 

C CONCEPT  1 
C 

CALL  HOLLMON(OAC«V(30> ♦ 1) 

CALL  MONC(XMONl«XMONO«OMON»35»J9.Vt30) ) 

CALL  DETECT (IFLAGl (35) « V < 35> « V ( 36) , V t 37 ) . V t 38) . v t 39) 
1»XM0N1 (35) ♦XMONl (36) »XMONl  C)?) ♦XMONl (38) *XM0N1 (39) ) 
CALL  F0ELAY(1FLA(>UIFLA62»3S»39) 

CALL  WhOA(Y) 


non  n nn  n rtn  n rt  n n n n r>or>  r>r>o  non  rtnrt 


Concept  II  Calling  Sequence 


CONCEPT  a calling  sequence 
call  i<0LLM0N(r)AC«V(30»  *1  » 

CALL  AP21 (Y(6»«Y(3j.So.CP.ST»rT.XBAP,XHAT.Vf0r) 

CALL  ABa2(ALTM,ALM,NZM»Y(3> .SO.CP. ST . CT .UON.O .0 t X3AR ( 4) .XHAT(IO) 
I «V(4) «0T«T) 

CALL  ARa3(NYM«PM«RM«0RT*UAT«UQM»ALTH«QRAKM»ALH*CT«SP«XBAR(7) 
I.XHAT(13) «V(6) «0T*0PTI0N> 

SET  monitors  EOR  MULTIPLE  TRIP  EVALUATION 


00  86  1=1 «8 
H6  XMONl (1 ) sXMONOC  1 ) 

CALL  M0N0(XM0N1 «QBARM«T) 

CALL  MONHtXMONl «ALTM) 

call  MONC(XMONl«XMONl»OMON»l*«*Vt30>  > 

multiple  TRIP  evaluation 

call  H0N3(V«XM0N1 *fELA63*l*MV) 
call  E0ELAY(IELAG3.IEi.AG2.1,Nv> 

ADJUST  monitors  EOR  Si.RT  EVALUATION 

XMONl (S)sXMONl (S) *.002 
XMONl (6)=XM0N1 (6) *0.2 
XMONl (7)=XM0N1 (7) *.01 
XMONl (8)=XM0N1 (81*0.003 

SLRT  EVALUATION 

call  MONI  (Vd)  .XMONl  (1 1 .IELAGI  (1  1 .NVf  20.1 1 


SET-UP  dual  BOOY-PATE  SIGNALS  EOR  EAIl-OP  EVALUATION 


CALL  AR24(Y(6) . Y ( 3) . Y ( 1 2) ,59. CP.ST .CT . X3AR ( 1 1 ) .XHAT ( I 7) fV(9> 
1 .OT.VLIKE) 

evaluate  COMPARISON  MONITORS  OP  DUAL  SIGNALS 

call  M0N3(V. XMONl, IELAGI, 31, 331 
CALL  E0ELAY(IELAG1,IElAG2,31,33) 

APPLY  SLRT  EOR  EAIlURE  ISOLATION 

call  M0N2(VlIKE, IEi.AGI (31 ) ,IElAG2(31 >, IELAGI (34) ,IElAG2(34) 

1 .XMONl (34) ) 

EXTRA,  EVALUATE  BOOY-PATE  BIAS  ESTIMATION  EOR  BIAS  EAULTS 

V(40)*XMAT(2) 

V(4l)=XHAT(5) 

V(42)*XHAT(fl) 

CALL  M0N3(V. XMONl, IELAGI, 40, 4?) 
call  E0ELAY(IELAG1,IElAG2,40,42) 

CALL  MHOAIY) 
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E.  1. 3 Concept  III  Calling  Sequence 


CONCEPT  J 
Hi-PAss  All 


INPUTS 


CALL  hpas^(NZh«NZH.ZC 1 ) *Z(2) I 
CALL  rtPAS2(0M«0H«Z(7) .ZtS) ) 
call  HPAS2(ALH«ALH,Z( 11 ) *Z( 12)) 

CALL  mpaS2(0ET«0EH,Z(  13)  *Z(  )<») ) 

longitudinal  filtfps 

call  *P31 (NZH,OH.ALH.OtH*UOM»ALTM.OiARM.ARAqn 1 ) »XHAT{1 7) 
1 tV(9) (OTtlCON) 

CALL  HPAS2(Nym,NYH,Z(3).Z(A)) 

CALL  HPAS2(PM.PH»Z(5) »Z<6) ) 

CALL  HPaS2(RH.RH«Z(9)  tZdO)  ) 

CALL  hPAS2(0AT.0Ah«Z(1S) «Z()6) ) 
call  HPAS2(0RT«0RH*Z(17) *Z(ld) ) 


LATERAl-DIRECTIONAl  filters 

call  AR32(NYH.PH«RH(DRHtOAH,UOH«ALTH*3BAKH*XBARI20) *XHAT(26) 
l«V(lb) fOT) 

SET  monitors  for  multiple  trip  criteria 

00  8S  I«9«29 
85  XH0N1(I)«AH0N0(I) 

CALL  HONQCXHONl tQBARM,T) 

CALL  MONHtXMONl «ALTM) 

call  MQNC(XM0N1>XH0NI *OMON»9*29fV(30) ) 

CALL  H0N3(V«XM0Nlf lFLA03*9tNV»8) 

CALL  FOELAY ( IFLAC3. IFlAG2*9,NV»8) 

ADJUST  MONITORS  FOR  SlRT 

XMONl (9) »XMONI (9) *.5 
XHONl (11)«XM0NI (Il)«*0015 
XMONl (12) «XM0NI (12)«.S 
XMONl  (I<»)>XMONI  (lA)  «.0030 
XMONl (1S)«XM0N1 (IS) «1.0 
XMONl (17)*XM0N1 (17)*. 0015 
XMONl (21)«XM0N1 (21)«.5 
XMONl (23)«XM0N1 (23)«.003 

CALL  MONl (V(9) tXMONl (9) *1FLAG) (9) fNV«20*l) 

apply  CONCEPT  3 ISOLATION  LOGIC 

CALL  C3KEC0V( IFlAGI ( 12) *1FLAG1 (13) t IFlAGI (16) « IFlaGI (17) 

1*  IFlAG) (2A)f IFLAGI (26) « IFLAGI (27) t IFLAGI (28) « tSENF* 1 ) 

CALL  WHOA(Y) 
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TABLE  E.  1.  MAINLINE  VARIABLE  DEFINITIONS 


Program 

Physica  1 

Program 

Physical 

Variable 

Quantity  Description 

Variable 

Quantity  Description 

Measurements 


Concept  II 
Residuals 


Concept  III 
Residuals 


I FLAG  I. 
IFLAG2 


Concept  III 
Residuals 


Roll  Monitor 
I dual  Body  Rate 
Sensor  Error 
[signals 

Likelihood 
Difference  Function 


' Concept  I 
Urror  Signals 

Concepts  II  and  III  updated 
Estimates 

Concepts  II  and  III  Predictions 
Aileron  Conmand  Signal 
Sample  Time  (.05  sec) 

Gain  Schedule  Option 
Initial  Monitor  Levels 
Scheduled  Monitor  Levels 


t 


E.  2 ANALYTICAL  REDUNDANCY  SUBROUTINES 

E.  2. 1 MONQ — This  routine  schedules  certain  monitors  with  lagged  q. 


420  q 1300 

(1bs/ft^) 


li  8U3R9UTINE  «9N0(XMeNl,0BAR«»T) 

2t  0I*'ENS19V  XWQNKll 

3;  lF(T.aT»o.»  G9  T8  I 

4t  OBARFaUHARM 

5i  PHI0a»975 

RETURN 

7i  I CONTINUE 

8i  OB«RFaUBARr«PHIQ«|l.O-RHlQ}»QBARN 

9t  SQ'OBARF 

lOi  lF(SQ*GT«13Q0*}SQal300* 

ill  lF|SQ*UT.420*)SGaA20* 

IZj  RATa<SU-A20»)/780» 

13:  XMONK  6)a(  2.0-X^8Nlc  6)  )*RAT*Xf19Nl  ( 6) 

1%:  XN9Ni(  9)a{  6.2aXllBNi(  9)  )*RAT*XN0N1  ( 9) 

l5i  Xrt9Nl(lBjaj  6.2-XM9N1C12)  )*RAT*XhONUl2) 

l«t  XM9NI < 19 j a|lO.0-X^9Nl c 15) >*Rat*XM0N1 (15) 

17-  XN9Nl<lB)aj  2*0«X‘18Nl(18)  )*RaT4XN9N1(18) 

lit  XM9Nl(21)a|  2,5.X»19N1C21))*Rat*XMBN1{21) 

19|  2»0«XMeNl(2AJ jaRAT+XM0Nl{24) 

tOi  XN9Nl<27)a(  2t5«XNBNl(27)  )*Rat«’XN0N1|27) 

21t  RETURN 

22t  CNO 


SUBROUTINE  MONQ 


1 


E.  2.2  ROLLMON — This  routine  is  used  to  increase  monitors  during  roll  maneuvers 

commanded  by  the  roll  stick. 


XMAXO 


! SUBReUTlNE  RSI.LMeNlOAC«Y«N) 

J !nN.QT»0)e9  TB  J 

j kaOtO 

J XMAXeaO.O 

5 0A9f0»0 

t AaStO 

i pHIaEXP(«ALBQ(A)*f05) 

I RETURN 

i 1 CONTINUE 

) O0Aa3«O«ABS(OAC-DAB) 

\ lF(C0A*UT*0.2>Qe  T8  2 

) ir(XtaT*A*ooA)Go  ts  z 

j XaAaOOA 

i XNAx«AnlN(00A«2*0) 

: XMAXaANAXtXNAXfXMAXe) 

i XMAxOaXriAX 

I 2 continue 

I VaX 

I ir(Y.0T»XMAX)V»Xf1AX 

] OAOaOAC 

i XaXaPMl 

i lP(X»UT«0*2)XNAX0a0*0 

I RETURN 

i END 
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E.  2. 3 MONC— Apply  ROLL  UPLOGIC  calculated  in  ROLLMON. 


11 

ti 

31 

♦1 

6t 


SOSReUT  I ^4E  “^ONC ( t XHSN9> OMON,  Nl # N2 # Y ) 
OnENSlON  (1  )*XMe^9(  I )>0M9S|(  1 ) 

09  2 iPNliNZ 

XM9N1  ( I ) •XM8\8C  n*.oM9N|  I ) 

RETURN 

ENO 


r 


1 


E.  2,  4 DETECT — Complete  Concept  I algorithm  (not  including  multiple  trip  delay). 


17 

27 

3: 

47 

57 

4: 

7i 

;i 

107 

11? 

ii\ 

I3i 

147 

iSi 

147 

17i 

157 

157 

207 

217 

227 

23: 

247 

257 

247 

277 

217 

257 

307 

317 

327 

337 

347 

357 

347 

377 

317 

357 

407 

417 

427 

437 

44: 

457 

447 


subroutine  0C7ECT(IFAlL«PE«0e«RE«NZE«H0E«KPl«KQi«KRi«KNZl«KHDl) 
SENS9R  FAILURE  0ETECT19N  LOGIC 
CONCEPT  1 

OI'^ENSION  IFaIL(I) 
common  /FIlTIC/M00E*0T 

COMMON  /FIuTER/XP(20»,yP(?C»,Cl(20)#C2(20)«XPPtlrU,0TI 
common  /SENS/Y(17)«LLIM(ll)«ULlM»ll)#SI(>B(ll)#SlGSFrll)«SlQSN(ll j 
l«BIAS(ll)iSFBR(3) 
real  LLIM 

real  nzs^nzc^nzea 
real  NZMjNVM 
real  XPliKPg 
real  KGliKQSjKSatKOA 

REA^  <RliKR2i<R3#<R4 

REAL  KNZl«KNZ2«t(NZ3«KNZ4«KNZ5«KNZ4 

real  KHUii<H02«KH03«KH04 

DATA  KP2/.055/ 

data  KQ2#Ka3i<G4/*o5S«»0353>3*0/ 
data  KR2#KR3«KR4/.0S5«*0050/0.C/ 

data  KNZ2#KNZ3«KNZ4«t(N25«KNZ4/>0lS> (SSa (SAa  *0342. .0353/ 

OATA  KM02.  iCMDa.  KH04/.028.  .35.21./ 

OATA  RTO/57.3/ 

oiqital  inputs 

equivalence  (NZM.Y(I) ».(NVM,y{g) ). (Pm#Y(3) )# (0M.Yf4) )# (RM, Y(5> ) 

• <(PHIM#V»6»)#(TMETAM,Y(7) ). (PSIM,Y(8) t. (UBM.Y(9>) 


2 

3 


#(ALM#Y(10»)»(ALTm«YI11)). (DEe,V(l2)).(0A0.Y(l3)) 
«(0R9«y(14))#(UG«Y(l5))MVGAY(l4))MWC«Y(l7)) 


NZS<iNZM/32,17 

POS»Pm»HTO 

a0S«QM*RT0 

R08*RM*HtO 

PHIoS«PHIm*RTO 

THOS«THETAM*RTO 

P8I0S«PSiM#RT0 

VCLS«U0M 

alos«alm*rto 

m8*ALTM 

SPH1S»SIN(PHIM) 

CPHI8«t»S(PHIM) 

8TMS«8IN(THETAM) 

CTHS*COS(TmeTAM) 

POSAaABScPOS) 

QOSAtABScQOS) 

R08AaABS(R0S) 
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L 


*7: 

«8i 

h9t 

sot 

51i 
82t 
53  i 

5%i 

55t 

86: 

_57i 

58t 

89i 

60: 

61: 

63: 

63: 

66: 

65: 

66: 

67: 

68: 

69: 

70: 

71: 

73: 

73: 

76: 

75i 

76: 

78: 

791 

801 

81: 

83: 

S3: 

86: 

SS‘: 

867 

871 

88: 

89! 

901 

91: 

93: 

>3l 

96: 

95: 

961 

•’i 

98: 

99: 

lOOl 


ROLL  «ATE  MECHAM12AT10N 

TlaDERlV(7«PHlDS)  • OERIVtl«PStDS)*SrHS 
T3«P0S  • RLIM<T1<-200»<300*) 

PEfrOLAG(l«tliT2) 

PEAaABS(PE) 

T3aKPl  ♦ KP2*P0SA 
iFAlLCDaO 

lF(PEA*tie«T3)  IFAlU(l)««l 

PITCH  RATE  mechanization 
T6f0ERlV<2<TM0S)»CPMlS 
T5«0ERlV(3<PSICS»*SPHtS»CTHS 
T6»T6  ♦ T5 

T7»Q0S  • RLlMrT6*«30«i30O 
QE<P0LAa(2«.l«T7) 

QEAaAaS(QE) 

TSaKOl  ♦ KS2*Q0SA  * KQ3*PDSA  ♦ K06*RDSA 
lFAIL(3)aO 

|F(QEA*Ge*T8)  1FA1L(3)>-1 

YAK  RATE  MECHANIZATION 

T9a0ERlV(A«PSI0S)*CPHtS*CTHS 
T10aDERIV(5iTH0S)aSPHIS 
TllaROS  • T9  4 TIO 
REaF0LAG(34.l4Tll) 

REAaABS(RE) 

T13aKRl  4 KR24RDSA  * KR34P0SA  4 KRavQDSA 
lFAlL(3)aO 

ir(REA«Qe«Tl2)  IrAlL(3)aal 

normal  ACCEL  MECHANIZATION  fNOt  i) 

Tl3aOOS  • 0ERIV(6«AL0S) 

Tl6aVELSaTl3/(57*3a33.l7l 
T15aTl6  4 CTXSaCPHIS  • 1* 

TUaNZS  • RLIM(Tl5«a6f#10*} 

NZEaF0LAa(4«tl«Tl6) 

NZCAaAHS(NZC) 

T17aKNZl  4 KNZ2«aOSA  4 KNZ3*ABS(NZS)  ♦ 

1 VELSa(KNZ6  * KNZSvQOSA  4 KNZ6*PDSA)/(R7*3*33*17) 

lFAlL(6)a0 

lF(NZEA«aE<T17)  IFAlL(6)aal 

ALTITUDE  HECHANIZATION 

T18«STHS  • CPHlSaCTHS«AL0S/57*3 

Tl9«VELSaT18 

H08aHIPASS(5««l«HS) 

MOEaMOS  • FeLA8(6«*l#Tl9) 

HOEAaAeS(HCE) 

rZOvKHOl  4 KH03*ABS(VELS}  ♦ KM03*ABt(HDS)  6 KHO« 
irAIL(5)aO 

IF(HOEA«QE«T30)  lFAtL(9)Y*l 

RETURN 

CNO 
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ENTER 


CONVERT  SENSOR  INPUTS 
TO  DEGREES  & "G‘S" 


ROLL  RATE 

MECHANIZATION  < 

CONCEPT  1 

IFAIL(1)«0 

IFAIL(1)*-1  If: 
|Pe)>KPj+Kp2lPl 


PITCH  RATE 
MECHANIZATION 


CONCEPT  1 


IFAn.(2)»0 

Qg*Q-Scos«-^s1n*cose 
. . IFAIL(2)--1  If:  , , 

1 Qe llKQ, +KQ2 IQI +KQ3 I P I +KQ4 1 R 1 


YAW  RATE 
MECHANIZATION 


CONCEPT  1 


IFAIL(3)-0 

Rg*R-*cos^cose+esin* 

. IFAIL(3)«-1  If:  , , 

l^KR j+KRg I r1 +KR3 1 P 1 +KR4 1 Q 1 


NORMAL  ACCEL. 
MECHANIZATION 


CONCEPT  1 


CONCEPT  1 


'"isiiir 


ft,»V-r(sIne-s1nocos4cose) 

V«r«2 

IFAIL(5)-1  if:. 

I Hfi 1 > KHD j+KHDg | Vy 1 +KHD4 1 H j 1 +KHD4 


Figure  E.  7.  Subroutine  DETECT 


FOLAG- -First  order  lag  filter,  used  in  Concept  I. 


PUNCTI8N  F8LAQ( 1#TAU>XI 
MBDeLS  1/(TS  ♦ 1)  FILTERS 
CS'^MBN  /FILTIC/M80£#0T 

COMMON  /FlUTER/XP(20)»YP(20)#Cl(20)*C2«20)»XPP<ln)#DTl 


6': 

IF(M9DE)  100#100#300 

7| 

100 

CONTINUE 

81 

Cl(  1)«0T/(2««TAU  ♦ OTJ 

9i 

C2m«(Z.«TAU  • 0T»/(2 

lot 

xP(n»x 

11  i 

YP(IJ»X 

12i 

O 

O 

F0|.AGaCl(  I)«(X  ♦ XPd) 

I3t 

xP(n«x 

1*1 

YP(  n-FOLAG 

I5i 

RETURN 

16i 

END 

C2tl)*YP(I) 


COMPUTE 

DIGITAL 


COEFFICIENTS 


n.  At 

rom  2T-At 


INITIALIZE 
THE  FILTER 


vr*n 


RETURN 


Figure  E.  8.  Subroutine  FOLAG 


E.  2.  6 HIPASS — First  order  high-pass  filter,  used  in  Concept  I. 


ll  FUNCTIBN  HIPASSt liTAUiX) 

2!  C MSDcLS  S/<TS  ♦ 11  FILTER 
3i  C9‘^M8N  /FlLTlC/MeOE^OT 

A!  /FlUTER/XP(20),YP(20),Cl(20)/C2(20)/XPP(lfi)<DTI 

*»  c 

6:  IF(M60£)  100«100«3C0 

7T  100  CONTINUE 
li  C1(H«2*/(2.*TAU  ♦ OTJ 

»i  C2«H«(2.*TAU  • DT)/(2.*TAU  ♦ DT) 

lOi  xp<n«A 

Hi  vPdi.o* 

12!  300  HiPASs»ci(ij*<x  • xP(in  ♦ C8in*YP(n 

i3i  xp(n*x 

lA:  VPm«HlPASS 

15*  RETURN 

16:  END 


Figure  E,  9.  Subroutine  HIPASS 


2.7 


DERIV- -Digital  derivative  calculation,  used  in  Concept  I. 


X = (X  - XLAST)/DT 


It  rU'^CTIbN  OEPiVtWXi 

8i  C CBMPUTES  0E!?1VATIVE  X 
3i  CB'^MON  /FILTIC/MeOEiOT 

4t  CB'^MBN  /nLTER/XP(2C»/VP(20)«Cl(20)#C2(20>#XPPriftJiDTI 

5i  C 

6t  tF(HSOC)  1004100/300 

7i  100  0TI«1./0T 

8t  XPP(l)pX 

9i  300  DER1V«<X  . XPPdJl^OTl 

lOt  XPPdJfX 

111  RETURN 

12:  CNO 


Figure  E.  10.  Subroutine  DERIV 
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RLIM- -Apply  prescribed  limits  on  monitor  movement,  used  in  Concept  I. 


li 

rUN'CTlSN  RLlM(X«LLlMiULIM) 

21  C 

limit  uppe«  and 

lbwer  values  of  X 

31 

real  LLIM 

♦ 1 

RLIM.X 

Si 

|F(X.GT.UL1M> 

RLIM.ULIM 

6t 

IP(X.LT.LLIM) 

RLII.LLIM 

71 

return 

81 

rNO 

r 


1 


E,2.9  FDELAY — Counts  single  trips  for  three-trip  fault  declaration. 


SUBROUTINE  rOELAYf IFAILj JFAlL«NliN2) 

3 consecutive  IFAIL  IN0ICAT9RS  WILL  SET  JFAIL  INDICATOR 

DIMENSION  IFAlL(l»idFAlL«l>#TEMPr42) 

COMMON/FILTIC/MOOEjOT 

INTEGER  TEMP 

IF(MOOE»  5<5il0 

5 00  6 I>Ni«N2 

6 TEMPI  n«o 

la  CONTINUE 

00  20  l*Nl«N2 
jFAIL(n«0 

TEMPiD.TEMPdJ  ♦ iFAILd) 

IF(  IFaILI  IJ.GE.OI  TEMP(n-0 
IF(TEMP(n.LEt»3»  JFAIliD  — I 
20  continue 
return 
end 


ENTER 


iiJ - i ^9  

SET  JFAIL(I)«-1  IF: 

ifail^_2(i)*-i  and 

IFAIL„  ,(l)«-l  AND 
IFAIL„(I).-1 


RETURN 


Figure  E.  12.  Subroutine  FDELAY 

•J 


INITIALIZE 


SET  TEMP 
ARRAY  TO  0. 


II 

2t  C 
31  C 
♦ : C 

SI 

fl 

8T  C 

91 

lOI  C 
111 
IS: 
13:  C 
141 
151 
161 
17: 
18: 
19: 
SO! 
811 
as: 


l-A-  r-  ■ ^ - 
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E.  2. 10  MONl — Sequential  likelihood  ratio  test  of  residual  mean  value  used  in  Concepts 

II  and  III. 


11 

SUBR9UTINE  MONl (V« XMON, irLAG«NV«NMAX,M00E) 

DIIENSIOS  V(  n,XM9\(l iFUAGtl ) 

3: 

oIMENSIONI  SUM(42)«M(42) 

4: 

DATA  SFl/2.00/ASF2/3tl3/ 

5t 

iF(MeDE)  10«10«20 

6: 

13 

00  11  1«1«42 

7i 

su*!:  i)«o. 

• : 

11 

DiO 

9T 

RETURN 

101 

20 

OO  1 1*1«NV 

li: 

lFLAG<n-0 

18  s 

su*'<n*suM(n  4 vrn 

I3't 

•»  1 

14: 

xN«N(n 

IS: 

lF(ABS(SUH(n)«LT*(Sr2«SFl*XN)«XM0N(n*0R.N(n.Qr*NMAX)Q0  TO  2 

16S 

IFUAQ(  n»-l 

17: 

00  TO  1 

18: 

8 

CONTINUE 

19: 

IF  ( ABS(  SUM(I  )),QT»(SF24SFl*(XN«2n*XM0N(I),  and,  N,n,LT.NMAX>  GOTO  1 

80: 

SUN(I)«0, 

81: 

NdliO 

88: 

1 

continue 

83: 

return 

84? 

CNO 
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ENTER 


E.  2. 11  MON2- -Sequential  likelihood  ratio  test  of  likelihood  difference  function  used 

in  Concept  II. 


I 

I 


1?  SUBR9UTINE  HONStVLKE/IFLAS/JPLAG/IPLUS/MlNUS/SlBVl 

it  Ol'^ENSION  iFLASJDjjFLAQa) 

3t  data  SP/1*0/ 

4i  IPLUS*0 

Si  MINUS«0 

«i  lF(IFLA(i(l)«IFLAG(2)4-IFLAG(3).E0.0)GS  TO  1 

7!  SOM.SUM+VLIKE 

St  lF<JFtAG<l j+JFLAG<2)*JFLAG«3),E0.0)RETURN 

9i  IF(SUM.GT.3.A55*SIuV*SF)IPUUS««1 

lOi  IF<SUM*UT.«3.*55*SIGV*SF>MINus«-1 

Hi  return 

12i  1 SUN. 0*0 

13:  RETURN 

Hi  end 

i 

I 


I 
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E.  2. 12  MON3  — Constant  level  residual  trip  monitor,  used  in  Concepts  II  and  III  (used 
with  FDELAY  for  multiple  trip  criteria). 


1:  subroutine  HON3(V#XMON, irLAG,NVl,NV2» 

2T  dimension  V(l)<XMON(l)iIFLAG(i) 

3l  data  SF/3.*/ 

♦I  00  1 I»NVl,NV2 

Si  IfLAGtn-O 

61  IF(ABS(V( I ) ).GT.sr«xM0N( I ) ) IFLAGt I 

71  I CflNTINUE 
Sj  return 

SI  END 


E.  2, 13  AR21  — Concept  II  Euler  angle-body  rate  diagnostic  filter. 


li 


I 

i 

! 

I 

i 

i 

Ot 

t 

t 

: 

t 

t 

t 

t 


20 


subroutine  AR21 (EA, BR* SR# CP# ST#CT# XBAR# XHaT# v# DT » 
real  Kf 

01  PENSION  EA(3)#SR(3)#XBAR0)«XHATI3#3)#KF(2«3) 
l#EACK(3)«eRC<(3)#B(3#3)#V(3),T(3) 
tjATA  EAC</2*0«05#100»0/#BRC</3»C»l/#B/l»0#e*0»0/ 
l#<P/0«229#«3t075#0*1131*-0»03#C»l5627#-0*o5/ 
B(1#2>"SP«ST/CT 
a(l#3)*Co«ST/CT 
B(2#2)>CP 
B(2«3i<'-SP 
B(3#2)»SP/CT 
a(3#3)*CP/CT 
00  * J>1#3 
V( J)aEA(J|-XBAR( J) 

XHATd#  J)«X3AR(  J»4KrCl«J)*V(  J) 
irtABStBRt  Jn»GT.BRC<(  JJ  )G3  TS  5 
!r(ABS(EA(Un.QT.EACK(jnGO  TO  6 
XHAT(2#U)aXMAT(2#JJ^tr(2# 

GB  to  6 

5 XHAT(3« J)»XHAT<3#J>4Kr<2»J)*Vt J)/BR(J) 

6 r(U)*BR( J)-XhaT(2#J)*XUAT(3#J)*BRCJ> 

00  1 J*l#3 

TE'^PaO'O 
00  7 K«l#3 

7 TE*’P«TtnP^B(J#K)*T(«) 

1 xBAR(  j|«XHAT(i»J)-*OT»TE*iP 
RETURN 
END 
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ENTER 


Figure  E.  16.  Subroutine  AR21 
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E.2.14  AR22 — Concept  II  U,  n^,  a.  h,  9 diagnostic  filter. 

1 : subroutine  KR2Z  t ALT#  AL,  NI2#  BR,  SP#  CP#  ST#  CT#  UM#  VS#  XBAR#  XHAT#  V#  OT#  T ) 

Si  rEAl  BR(3)#XBAR(3)#XHAT(3)#V(2) 

3j  1#KP(3#S)#L-#N2 

C GAIN  SET  Ne  2#  increased  H . REDUCED  AL 

5t  DATA  G/32.17/ 

6i  l#KF/ti:*82#"t046l5AA  *0431 85# -3 *9599# 17»76a# 17A»17/ 

7:  V(n«ALT-X3ARtl) 

• t V<S)«AL-(X3ARt2).#X3AR(3))/UM 

9t  LW«1750* 

10:  lFtALT*UT.1750* JLX-ALT 

Hi  lF(ALTtLT*30*)LWa30* 

is:  PHIG»1*0-0T*UM/LW 

13:  00  S I>1#3 

14:  XHATtn-XBARjI) 

15:  00  2 Jfl#2 

16:  2 XHATt  I )«XHAT(  n*<F(  I#  J)*V(J) 

17:  X9AR{n»XHAT(n*DT*(UM*ST-XHAT(2>*CT*CP-VS*CT*SPi 

18:  xBAR(2)«XHAT(2)+0T«(-N2#.G*CT*CP-G-BR(1)*VS+BR(2)*UM) 

19i  XBAR{3)«PHIQ*XHAT(3J 

20:  return 

21:  END 


Figure  E.  17.  Subroutine  AB22 
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li  subroutine  AR23(Nr,P,R,DR#DA,u0jALT#CBARiALiCT,SP,XBAR,xHAT 

8:  l,V«0TfBPTI9Nj 

3:  real  NY«V(1)«XBAR(1)«XHAT(1)#KF(A«3) 

*!  INTEGEK  8PTI9N 

5i  data  G/32.l7/,Kr 

6i  l/-1.78‘J8E-CAi2.931BE-03*-5»8e>?8E-0A#«lt51?9E«03 

7:  8««3.8AS8E-03«  l«8a32E»01#-*»23.38E-02*»A»1000E-02 

8"  3f •2« A176E«c2» •3»2073E»ci* 1»OA32E»01*  8*33AaE"o2/ 

9?  data  Alii  A2iiA3l«A4»i«Ai2«A22#A32#  A42#Al3/A23«A33<A«3«Ai% 

10*  liA24i A34i A4A 

Hi  2/«97779i-1.769l* •34428iO»0*3»5A14E*06*  *78701* 1 'aQSBE^OS 

18:  3i 0*0* •0*Q48333* •100A8#.95026#0*0* •0*021674# •l*71R* 

13T  4i*33472#. 94566/ 

14:  ir(8PTl8N.Ea.8»G0  T9  4 

IS:  Al4a«i00625-3*CE-05*Q6AR 

16:  a11«A1441,0 

I7i  A12*0*0 

18:  Al3a«0*05 

19:  A21**«2«2*625E-03*3BAR 

80:  A88a*940«2*5E«04*0BAR 

81i  A83a5*2t)E-0248*35Ea05*QBAR 

88t  A24aA2l 

83:  A31aO*11546*7E-04*QBAR 

84:  A38**004 

8S:  A33>*98S-5*417C«0S«0BAR 

86:  A34*A31 

87;  L><-1750. 

88:  1F(ALT*UT*1750*)UW»ALT 

89i  ir(ALT«LT*600*C)LM*600* 

301  A44al  «0*DT*ljB/m 

31|  4 C9NTINUE 

38:  Cll«(-0*18-2«583E-04«OBAR42.0E»06«ALT»«UB 

33i  C14>C11 

341  8lla8«0E-034>2«036E«05*GBAP 

35|  lF(Bll*QT..0127)911a.0127 

36:  B18*0«0 

37:  B13»0T*32*17/U9 

381  B21a7*62E«04*aBAR 

39:  lF(B21*GT«0*4)B21a0*4 

60:  B88*«0«25«4flE«03*QBAR 

611  IF(B88*tT*<8*4)B28a-8*6 
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kZt  B31»-0*025-6.88E«0<»*00AR 

*3r  rF(B3i»tTt-o.«)e3i«-o.A 

bsS-O'IO-a.stbe-oa^obar 
%5:  lF(B32»LTft075)B32«*.075 

*6:  01at0862ftQSAR 

♦ 7:  lF(01tCjT.A3t7)01«A8»7 

48:  0S"*3207*n3AR 

49:  IF(D2.1jT.15.0)D2«15«0 

50:  V(l  )*NyCn#X0AR(l)-Cl4*XBAR{4)-Ol*OR«O2*DA 

51;  V{2>#P«X3AR{2) 

521  V(3)*R-xaAa(3) 

53:  DB  2 J-li4 

54:  T£MP«xbaR(J) 

55:  08  3 K«1j3 

56:  3 TEmp.TEmp+<F( j#K)*v(K) 

57:  2 xHAT(J)-TEmp 

58:  X8AR(1  )«AU*XHAT(l  )+A12*xhATjp)*A13*xHAT(3) 

59:  14>A14«XHAT(4)4.B11*0R+B12#DA 

60:  2*0T*P*AL+B13*CT*SP 

61:  XBAR(2)*a21#XHAT(1 )+A22*XHAT(2)+A23«XHAT(3) 

62:  UA24*XHAT(4)+B2l*0R-fB22*0A 

63:  XBAR(3)*A31*XHATil)^A32*XHAT(p)fA33#XHAT(3) 

64:  1*A34#XHAT(4)*B31*0R+B32*DA 

65:  X6AR(4)«A44«XHAT<4) 

66:  RETURN 

67:  ENO 


I 
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E,  2. 16  AJR2£-- Concept  II  dual  body  rate  fail-op  diagnostic  filters. 


l!  subroutine  AR24jEA,QRi,BR2*So,CPjSTjCT,xaAR»XHAT.V«DT,v/LlKE) 

2i  real  KFO)<eA(3)«BRl(3)«BR2(3)iV(6)«XHAT(6)«XBARi6) 

3:  l«B(3«3)iSISS(3) 

%:  data  KF/.223>.1131,.1567/«B/1.0*8*0t0/ 

5:  data  SIBS/.019‘J#2*#00698/ 

6!  B(li2>«SP*ST/CT 

7|  8(li3>»CP*ST/CT 

8:  B(2«2I*CP 

9:  B(2i3>»-SP 

lO'l  B(3«2J«SP/CT 

11:  B<3i3>»CP/CT 

I2t  00  1 I»li3 

13:  V(I  J.EA(n-X8AR(  n 

!♦:  V(  l43)  “EAt  n-X3A«(  I+3> 

15:  XHAT(I)»XBAR(n+KF(I)«V(I) 

16:  xHAT(  I-»3j.X3AR( 

17:  VUlKEaO'O 

18:  DO  2 K*li3 

19:  2 VLIKE«VLIKE4.a(ljKJ*BRUX) 

20:  XBAR(  n«XHAT(  n*0T*VLIKE 

21:  VUIKe«0*0 

22:  DO  3 K«l«3 

23t  3 VtIKE«VLlKE*R(IiK)*BR2t><) 

24:  I XBAR(I+3).XHAT( I+3)+0T*VLH<E 

25:  VtlKE>0«0 

26:  DO  4 I*d3 

27:  4 vLlKE«VUIKE4(V(I>*V(lNV(I*3)#V(l43)>/(SlGS(n,SlGS(I>) 

28:  RETURN 

19:  |N0 


CONCEPT  2 


CONCEPT  2 


EULER  ANGLE-BODY 
RATE  KALMAN  FILTER 
USING  BODY  RATES 
FROM  SET  1 


EULER  ANGLE-BODY 
RATE  KALMAN  FILTER 
USING  BODY  RATES 
FROM  SET  2 


'•’e‘ 


Figure  E.  18.  Subroutine  AR24 


E.  2.17  AR31  — Concept  III,  3 n , Q,  a linear  short  period  filters. 


li  SUBliDUTlNE;  AR31(NZ>Q«AL«OE«U8«ALT«CBAR/X0AR«xHAT<VfOT) 

2:  rEA(,  NZ«V(l)«XBAp(l)«XMAT(n«Kr(9«3)«LW 

3:  C GAIN  SET  NO  2t  REOUCEO  AL  . INCREASED  NZ  AND  0 

A:  data  KF 

Si  1/-E,3552E-05«1,6226E«0A«*2*7967E>0A 

6:  2* •2#5A08E-O5<l*8l76E-OA*»3tO5lSr»OA 

7t  343»0t0 

81  AjAtgsieE-oaiE.SSaSE-Ol^-ltZSosE-Ol 

9t  5«5i0A23E«024  2«<f851E*01«*l«3A&aE-0l 

107  6j5t2303E-02<3.5566E-01*-2»08?5E-0l 

117  7|5t3l90E-03<-3.66A3E-02*6»3158E-02 

12!  843fO«0 

13:,  9j8#5222E*03<-7«5977E»0?*1»1090E-01/ 

lA!  Allal*0^0T«(-<35-t002667«0UAR) 

I5i  Al2aOT 

16:  Al3aAll-1.0 

17:  A21aOT*<l.O«.031667*OBAR) 

18:  A22al*0-»0T«(-«35-tQ018333*0BA9) 

19:  a23«A21 

20':'  L'^*1750* 

21:  1F(AlT»LT.1750«>LW»AI.T 

22:  lF<ALT.UT.300l.Ka30» 

237  A33al.O*OT*UO/LW 

26:  C11*«2«37S*DBAR 

25:  ci3acn 

261  Bl««*OO5a6«CEa05*OB^R 

27:  B2aaf0l-«002125*QSAR 

28:  0«**2583aQ3AR 

29:  08  1 Ial«7a3 

30i  V(  lU-NZ.CliaXBARt  I)«C13*XBAR(  U2)aO*OE 

31:  V(l*l)Aa,XBAR{I*l) 

32:  V(lA2}*AL-xaAR(  I)>XBAR(I'»2) 

33i  00  2 J*1«3 

36:  lJlal*J»l 

39:  TENP«xB6R{ljn 

36:  08  3 KPla3 

37:  lKlaI*X-l 

38:  3 TEMPaTEMP*KF(lJlaKl»V(lKl) 

39:  2 XHATIIJDaTEMP 

60l  XBARt  I )*A11*XHAT(I  )*Al2aXHAT(  1*1  )*A13*XHAt»  I4.2) 

61:  ueiaoe 

62:  XBAR(I*l)aA21#XHAT{IUA22«XHATtUl)«>A23*XHAT(U2: 

63:  WB2«0E 

66:  1 xBAR(I«2}aA33«XHA7(I’^2) 

69:  RETURN 

66i  END 


1 

! 


Figure  E.  19.  Subroutine  AR31 


£.2.18  AR32 — Concept  III,  4 n^,  P.  R.  lateral- directional  filters. 


It  SUBR8UT1NE  AR32(MV«P4RjDRiOA«U9iALTiOBARiXbARiXHATi ViDT) 

2:  real  NYiV(niXBAR(l)«XMAT(l)*XF(Ai3)iLW 

3:  data  Kf 

A:  l/»1.7898£-0Ai2.9915E-O3i-5»26?8E-0A« -I'SlPBE-OS 

5t  2i«3.2A98E-g3j 1.8832E-01i-A»2388E-02**A»l000E-02 

6s  3i-2.Al76E-02j-3«2073E-01il»OA32E-01*8»334*E-a2/ 

7s  A1A...0U62S-3<0E-05«3BAR 

II  AllaA14*l«0 

91  Al2a0«0 

lOi  Al3a-0*O5 

lit  A21a«<2-2*625E-C3*GBAR 

121  a22*<9AO.2<5e-0A*OQAR 

131  A23a5<25E-02*8<3SC«05*QBAR 

lA:  A2A.A21 

IS:  A3U0«11546<7E-CA«cBAR 

16:  A32*«0OA 

I7i  A33f«986.5«A17E-05«QBAR 

18:  A3A*A3l 

19:  LWfl750« 

20:  IF(ALT«I,T.1750«)LW.ALT 

21:  I7(ALT«UT.6000)LW.600« 

22:  AAAp1,0«DT*U9/LW 

23:  Cll«C0«l2-2»583E«0A#QBAR*2»0E-06*Al.T)*L)8 

2At  ClAaCll 

29:  B1U2*0E«03<»2*038E«05*GBAR 

26:  lP'<Bll«eT..0127)Bll»#0l27 

27:  Bl2pOtO 

21:  B21a7«62E-0A*Q3AR 

29:  IF<B21»OT.O.AJB21»0«A 

10:  B22«*0*25-A.lE-03*aBAR 

31:  IF(B22*LT**2«A)B22p-2.A 

32:  B31a«0«O25«6<88E«0A«aBAR 

33:  IF(B31*LT«*0«A)B31p-0«A 

3A:  832p0«1U«A*375E-0A«qBAR 

3S:  lF<B32»l.T.*.375JB32f#o75 

36:  D1^«0862«QBAR 

37:  IF(0ltGr,48«7)0lpA8t7 

38:  D2a«0207«QBAR 

19:  lF(02t6T.lS<0)02«15*0 

AO:  llfO 
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SUBROUTINE  AR32 


Figure  E.  20.  Subroutine  AB32 


E.  2. 19  WHOA — Sensor  consistency  monitor. 


SUBRSUTINE  MHOA(X) 

IP  SE^JSBRS  rate  8P  CkaNQE  EXCEEDS  A LIMIT  THE  LAST 
0980  9UTPUT  REPLACES  IT 
C9MM0N  /PICTIC/M90E«0T 
0IMENSI8N  XIDiXPdlliXLIMdl) 

OATa  XLIM/16»00*6»00« I *00*  *S5t *25*  *80*  *07#  *07* 1 00 *00* • 10* 200 *00/ 


IP(MODE)  100*100*800 


loo  08  110  Ul«ll 
110  xPin.xd) 
return 

800  DO  820  lalill 

TEMPaXd)  • XPd) 
IP(ABSCTEMP) .LT.XLIMC 1 )» 
XdlaXPd) 

08  TO  280 

810  xp«n«x(n 

880  continue 

RETURN 

END 


TS  210 


INITIALIZE  i 100 


XP(I)-X(I) 
FOR  I-l  11 


|X(I)-XP(I)|<XLIM{I) 


RETURN 


X(I)-XP(I) 


XP(I)-X(I) 


CONTINUE 


RETURN 


Figure  E.  21.  Subroutine  WHOA 


9^  <11 


E. 2.20 


HPAS2 — Second  order  high-pass  filter — used  in  Concept  III. 


: SUSRSUTINE  HPaS?|YIK‘,YBUT#X1,X2) 

j data  All, A21,A12,A?2/. 99978, -.OASSYfOtOAS??,. 9319/ 

i 1 <Bl*32/»0Cl22ll**0*3?7/*Cl/C2/*»9656/«l#376/,0/t9656/ 

! Y8UT«CI*X1*C2*X2*0*YIN 

; TEMp«All*Xl*A12«x24Bl*YlN 

• x2«A21*X1+a22«X2*B2*Y1N 

7i  XI ■TEMP 

at  RETURN 

9!  END 


Figure  E.  22.  Subroutine  HPAS2 
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E.2.21  C3RECOV — This  routine  performs  the  necessary  isolation  logic  for  Concept  HI 

The  following  table  describes  this  in  more  detail: 


TABLE  E.  2.  CONCEPT  III  ISOLATION  LOGIC  DEFINITIONS 


Flags 

Concept  II 
Filter  (table) 

Residual 

Failed 

Sensor 

IFl 

KF  #1 

n- 

IF2 

KF  #1 

m 

^m 

JFl 

KF  #2 

Q 

m 

‘'m 

JF2 

KF  #2 

^m 

“m 

(IFl  or  IF2) 

KF  #1 

and 

and 

Q 

m 

(JFl  or  JF2) 

KF  #2 

''m 

IF3 

KF  #3 

"ym 

R 

m 

IF4 

KF  #3 

R 

m 

R 

m 

JF3 

KF  #4 

"ym 

P 

m 

JF4 

KF  #4 

p 

m 

P 

m 

(IF3  or  IF4) 

KF  #3 

n„  , P , 
ym  m 

and 

and 

*Vm 

(JF3  or  JF4) 

KF  #4 

R 

m 
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1?  SUBWUTINE  C3REC9V<IF1/IF2/JP1/JF2#IF3/IF*,JF3^JF*,ISESF#M8DE1 

2X  lF(nBD&*6T*0)G0  TS  1 

3:  IFLF*0 

♦i  JFLP»0 

9t  iFLRfO 

6t  jFtRaO 

7:  iSENFaO 

I:  RETURN 

9i  1 C9NT1NUE 

10:  !FnFl4lF2.LT.3)lFLP»lFLP^l 

11:  !F<JF1*JF2.LT.0) JFlP-JFLP*! 

12:  lF(lF3^ir*.LT.0)lFi.R*lFLR^l 

13:  1F(  jF34JF<».LT.C}  jFi.R-uFLR*'! 

1^!  !F(1FLP»GT.0)ISENF.I 

15:  !FCjFLP«GT.0nSENF.10 

16:  !FnFLP«QT.0«AN0.JFLP.GT.0)lSCNF«4 

17:  IF(1FLR«GT.0)I5ENF.5 

IS:  !F« JFLW'GT.O) ISEMF-3 

19:  !F( IFLR«GT.0«AN0.JFLR«GT.0)ISENF,2 

20:  RETURN 

21:  END 


Figure  E.  23.  Subroutine  C3RECOV 
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TABLE  E.3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Dennition 

A 

ROLLMON 

Uplogic  Decay  Constant 

AL 

AR22.  AB23.  AR31 

Angle-of-Attack 

ALDS 

DETECT 

Angle-of- Attack 

ALM 

DETECT 

Angle-of-Attack 

ALT 

MONK.  AR22.  AR23, 
AR31.  AR32 

Altitude 

ALTM 

DETECT 

Altitude  (ft) 

All.  A12. ... 

AR23.  AR31.  AR32. 
HPAS2 

Discrete  A Matrix 

B,  Bl,  B2 

AR21,  AR24.  AR33, 
AR31.  Afi23,  HPAS2 

Discrete  B Matrix 

BIAS 

DETECT 

Bias 

BR 

AR21.  AR22 

Body  Rate  Vector 

C 

AR23.  AR31,  AR32. 
HPAS2 

Discrete  C Matrix 

CP 

AR21.  AR22,  AR24 

COS  ^ 

CPHIS 

DETECT 

cos  4 (cosine  of  sensed 
roll  angle) 

CT 

AR21.  AR22.  AR23. 

AR24 

COS  e 

CTHS 

DETECT 

cos  6 (cosine  of  sensed 
pitch  angle) 

Cl 

DETECT.  FOLAG. 

First  Order  Lag 

HIPASS.  DERIV 

Coefflcient 

D 

AR31.  HPAS2 

Discrete  D Matrix 

DA 

AR23.  AR32 

Aileron 

DAC 

ROLLMON 

Roll  Command 

DAO 

ROLLMON.  DETECT 

Aileron 

DDA 

ROLLMON 

A Aileron 

1 


TABLE  E.3.  COMPUTER  VAl^IABLE  DEFINITIONS 


Variable 


DE 

DEe 

DMON 

DR 

DRO 

DT 


EA 

EACK 


H 

HDE 

HDEA 

HDS 

HS 

ICON 

IFAIb 

IFLP 


ISENF 

IF 


Routines  Used 

Definition 

AR31 

Elevator 

DETECT 

Elevator 

MONC 

Monitor  Change 

AR23.  AR32' 

Radar 

DETECT 

Rudder 

DETECT,  FOLAG.  HIPASS,  Sampling  Time  (Simulation 

DERIV,  FDELAY.  AR21.  AR22. 1 Sample  Time) 

AR23,  AR24.  AR31.  AR32.  WHOA 

1 

DETECT.  FOLAG.  HIPASS, 
DERIV 

Sampling  Time 

AR21.  AR24 

Euler  Angle  Vector 

AR21 

Euler  Angle  Magnitude 
Check  Vector 

AR22.  AR23 

Gravity 

MONH 

Altitude 

DETECT 

Altitude  Rate  Error 

DETECT 

Altitude  Rate  Error 

DETECT 

Filtered  Altitude  Rate 

DETECT 

Filtered  Altitude  Rate 

AR31,  AR32 

Gain  Schedule  Option 

DETECT 

Monitor  Trip  Flags 

C3RECOV 

Concept  III  Logic 
Parameter 

C3RECOV 

Concept  III  Logic 
Parameter 

C3RECOV 

Concept  III  Isolated 

Failed  ''ensor 

C3RECOV 

Concept  III  Logic 
Parameter 
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TABLE  E.3.  COMPUTER  VARIABLE  DEFINITIONS 


1 

j 

i 

J 


Variable 

Routines  Used 

Definition 

JFAIL 

FDELAY,  MON2 

Monitor  Trip  Flags 

JFLP 

C3RECOV 

Concept  m Logic 

Parameter 

JFLR 

C3RECOV 

II 

JF 

C3RECOV 

II 

KHDl 

DETECT 

Altitude  Rate  Mechanization 
Gain 

KHD2 

DETECT 

Altitude  Rate  Mechanization 
Gain  ' 

KHD3 

DETECT 

Altitude  Rate  Mechanization 
Gain 

KHD4 

DETECT 

Altitude  Rate  Mechanization 
Gain 

KNZl 

DETECT 

Normal  Acceleration 
Mechanization  Gain 

KNZ2 

DETECT 

Noimial  Acceleration 
Mechanization  Gain 

KNZ3 

DETECT 

Normal  Acceleration 
Mechanization  Gain 

KNZ4 

DETECT 

Normal  Acceleration 
Mechanization  Gain 

KNZS 

DETECT 

Normal  Acceleration 
Mechanization  Gain 

KNZ6 

DETECT 

Normal  Acceleration 
Mechanization  Gain 

KPl 

DETECT 

Roll  Rate  Mechanization 

Gain 

KP2 

DETECT 

Roll  Rate  Mechanization 

Gain 

KQl 

DETECT 

Pitch  Rate  Mechanization 
Gain 

KQ2 

DETECT 

Pitch  Rate  Mechanization 
Gain 

KQ3 

DETECT 

Pitch  Rate  Mechanization 
Pain 

I 
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TABLE  E.3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

KQ4 

DETECT 

Pitch  Rate  Mechanization 

Gain 

KRl 

DETECT  j 

Yaw  Rate  Mechanization 

Gain 

KR2 

DETECT 

Yaw  Rate  Mechanization 

Gain 

KR3 

DETECT 

Yaw  Rate  Mechanization 

Gain 

KR4 

DETECT 

Yaw  Rate  Mechanization 

Gain 

LUM 

RLIM,  DETECT 

Lower  Limit  To  Be  Imposed 
on  Input  Parameter 

LW 

AR22.  AR23.  AR31. 

AR32 

Gust  Scale  Lei^th 

MINUS 

MON2 

SLRT  Logic  Output 

MODE 

C3RECOV,  DETECT,  FOLAG. 
HIPASS,  DERIV,  FDELAY, 
MONl,  WHOA 

Flag  To  Indicate  Program 
Initialization  or  Run 

Segment 

N 

ROLLMON 

Initialization 

N(l>42) 

MONl 

Sum  Numbers 

NMAX 

MONl 

Maximum  Sequence  in  Sum 

NV 

MONl 

Number  of  Residuals 

Being  Tested 

NVl 

MON3 

Test  Index  Limits  or 
Residuals 

NV2 

MON3 

Test  Index  Limits  or 
Residuals 

NY 

AR23.  AR32 

Lateral  Acceleration 

NYM 

DETECT 

Measured  Lateral 
Acceleration 

NZ 

AR22 

AR31 

Normal  Acceleration  (ft/s/s) 
Sensed  Lateral  Acceleration 

I 
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TABLE  E.3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

NZE 

DETECT 

Difference  between  Sensed 
and  Reconstructed  Normal 
Acceleration 

NZEA 

DETECT 

Absolute  Value  of  NZE 

NZM 

DETECT 

Sensed  Normal  Acceleration 

NZS 

DETECT 

Sensed  Normal  Acceleration 

N1 

MONC,  FDELAY 

Starting  Location  in  IF  AIL 
for  Applying  Triple  Trip 

Delay 

N2 

MONC,  FDELAY 

Ending  Location  in  IFAIL 
for  Applying  Triple  Trip 

Delay 

P 

AR23.  AB32 

Roll  Rate 

PDS 

DETECT 

Sensed  Roll  Rate 

PDSA 

DETECT 

Absolute  Value  of  PDS 

PE 

DETECT 

Difference  between  Sensed 
and  Reconstructed  Roll 

Rates 

PEA 

DETECT 

Absolute  Value  of  PE 

pm 

ROLLMON 

Roll  Angle 

pmos 

DETECT 

Sensed  Roll  Angle 

pmc 

AR22 

Gust  Correlation 

pmM 

DETECT 

Sensed  Roll  Angle 

pmQ 

MONQ 

Dynamic  Pressure  Delay  Parameter 

PM 

DETECT 

Sensed  Roll  Rate 

PSIDS 

DETECT 

Sensed  Yaw  Angle  (deg) 

PSIM 

DETECT 

Sensed  Yaw  Angle  (rad) 

Q 

AR31 

Pitch  Rate 

QBAR 

AR23.  AR31.  AR32 

Dynamic  Pressure 
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TABLE  E.  3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

QBARF 

MONQ 

Lased  Dynamic  Pressure 

QD3 

DETECT 

Sensed  Pitch  Rate 

QDSA 

DETECT 

Absolute  Value  of  QDS 

QE 

DETECT 

Difference  between  Sensed 
and  Reconstructed  Pitch 
Rate 

QKA 

DETECT 

Absolute  Value  of  QE 

QM 

DETECT 

Sensed  Pitch  Rate 

R 

AR23.  AR32 

Yaw  Rate 

RAT 

MONQ 

Ratio 

RDS 

DETECT 

Sensed  Yaw  Rate 

RDSA 

DETECT 

Absolute  Value  of  RDS 

RE 

DETECT 

Difference  between  Sensed 
and  Reconstructed  Yaw 

Rate  (dps) 

REA 

DETECT 

Absolute  Value  of  RE 

RM 

DETECT 

Sensed  Yaw  Rate 

RTD 

DETECT 

R adian-  to-  Degrees 
Conversion  Constant 
(-  57.3)  (d/r) 

SF 

MON2,  MON3 

Scaling  Factor 

SFBR<l-3) 

DETECT 

Sensor  Parameters  in 
I^abeled  Common— Not 

Used  in  DETECT 

SIGB<1-11) 

DETECT 

Sensor  Parameters  in 
Labeled  Conunon— Not 

Used  in  DETECT 

SIGS<l-3) 

AR34 

Likelihood  RMS  Values 

SIGSF<1-11) 

DETECT 

Sensor  Parameters  in 
Labeled  Common — Not 

Used  in  DETECT 

369 


TABLE  E,  3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

SIGSN{1-11> 

DETECT 

Sensor  Parameters  In 
Labeled  Common — Not 

Used  in  DETECT 

SIGV 

MON2 

Residual  RMS 

SP 

AR21.  AR22,  AB23.  AR24 

sin  4 

SPHIS 

DETECT 

sin  4 (Sine  of  Sensed  Roll 
Angle) 

SQ 

MONQ 

Dynamic  Pressure 

ST 

AR21.  AR22.  AR24 

sin  6 

STBS 

DETECT 

sin  6 (Sine  of  Sensed  Pitch 
Angle) 

SUM 

MONl.  MON2 

Sum  of  Residuals 

T 

MONQ.  AB22 

Time 

T(l-3) 

AR21 

Temporary  Variables 

TAU 

FOLAG.  HIPASS 

Filter  Time  Constant 

TEMP 

AR21 

Temporary  Variables 

TEMP 

AB23 

M 

TEMP 

AR31 

M 

TEMP 

AR32 

t( 

TEMP 

WHOA 

Difference  between  Current 
and  Previous  Sensor  Output! 

TEMP 

HPAS2 

Counts  the  Number  of 
Consecutive  Trip  Flags 
in  IF  AIL 

THDS 

DETECT 

Sensed  Pitch  Angle 

THETAM 

DETECT 

Sensed  Pitch  Angle 

Tl. 

T2, 


T20 


DETECT 


MlscelluteouB  Inter- 
mediate Computations 


TABLE  E.3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

UG 

DETECT 

Gust  Velocity  along 

Longitudinal  Axis  (fps) 

UUM 

RLIM 

Upper  Limit  To  Be  Imposed 

) 

on  Input  Parameter 

UUMd-ll) 

DETECT 

Upper  Umlts  Imposed  on 

Sensor  Outputs 

UM 

AR22 

Airspeed  Measurement 

UO 

AR23.  AR31.  AR32 

Airspeed 

UOM 

DETECT 

Sensed  Velocity  along 

Longitudinal  Axis  (fps) 

V{l-42) 

MOm.  MON3.  AR21.  AR22.  AR 

23.  Residual  Vector 

AR24,  AR31.  AR32 

VELS 

DETECT 

Sensed  Total  Velocity  (fps) 

VG 

DETECT 

Gust  Velocity  along 

Lateral  Axis  (fps) 

VUKE 

MON2.  AR24 

Likelihood  Difference 

VS 

AR22 

Sideslip  Velocity 

WG 

DETECT 

Vertical  Gust  Velocity  (fpe) 

X 

ROLLMON 

Roll  Uplogic  State 

X 

FOLAG 

Parameter  to  IVhicb  Lag 

Will  Be  Applied 

X 

HIFASS 

Parameter  That  Will  Be 

High-Passed 

X 

DERIV 

Parameter  from  Which 

the  Derlvattve  WUl  Be 

Computed 

X 

RUM 

Parameter  to  Which 

Limits  Will  Be  Applied 

XBAB(1*42) 

AR21.  AR22.  AR23.  AR34, 

X,  Predicted  State  Vector 

AR31,  AR32 

XHAT(1>42) 

AR21,  AR22.  AR23.  AR24, 

i.  Estimate  Vector 

AR31,  AR32 

TABLE  E.  3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

XMAX 

ROLLMON 

Maximum  Roll  Uplogic  State 

XMAXO 

ROLLMON 

Initial  Roll  Uplogic  State 

XMON(l-42) 

MONl.  MON3 

Current  Monitor  Level 

XMONO(l-42) 

MONC 

Initial  Monitor  Level 

XMONl(l-42) 

MONQ.  MONH.  MONC 

Monitor  Level 

XN 

MONl 

Sum  Count  (real) 

XP(l-6) 

DETECT.  FOLAG, 
mPASS.  DERIV 

Value  of  Filter  Input  at  the 
Previous  Sample  Point 

XP(7-20) 

DETECT.  FOLAG. 
mPASS.  DERIV 

Not  Used 

XPP(l-7) 

DETECT.  FOLAG, 
HIPASS,  DERIV 

Value  of  Input  to  DERIV 
at  the  Previous  Sample  Point 

XPP(a-lO) 

DETECT.  FOLAG. 
HIPASS.  DERIV 

Not  Used 

Y 

ROLLMON,  MONC 

Roll  Uplogic  Variable 

Yd) 

DETECT 

Sensed  Normal  Acceleration 
(ft/s/s) 

Y(2) 

DE'  , rr 

Sensed  Lateral 

Acceleration  (ft/s/s) 

Y(3) 

Dti  ECT 

Sensed  Roll  Rate  (rps) 

Y(4) 

DETEC i 

Sensed  Pitch  Rate  (rps) 

Y(5) 

DETECT 

Sensed  Yaw  Rate  (rps) 

Y<6) 

DETECT 

Sensed  Roll  Angle  (rad) 

Y(7) 

DETECT 

Sensed  Pitch  Angle  (rad) 

Y(8) 

DETECT 

Sensed  Yaw  Angle  (rad) 

Y(9) 

DETECT 

Sensed  Longitudinal 

Velocity  (fl>s) 

YdO) 

DETECT 

Sensed  Angle-of>Attack 
(rad) 

Ydl) 

DETECT 

Sensed  Altitude  (ft) 

TABLE  E.  3.  COMPUTER  VARIABLE  DEFINITIONS 


Variable 

Routines  Used 

Definition 

Y(12-17) 

DETECT 

Not  Used  in  DETECT 

YP(l-6) 

DETECT.  FOLAG. 

Value  of  Filter  Output  at 

HIPASS,  DERIV 

the  Previous  Sample  Point 

YP(7-20) 

DETECT.  FOLAG. 
mPASS.  DERIV 

Not  Used 
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